A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.
Why was the finding was not created in the Security Hub delegated administrator account?

1. A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
2. B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
3. C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
4. D. Cross-Region aggregation in Security Hub was not configured.

Correct Answer: C
The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
According to the AWS documentation1, GuardDuty findings are automatically sent to Security Hub only if the GuardDuty integration with Security Hub is enabled in the same account and Region. This means that the security tooling account, which is the delegated administrator for both GuardDuty and Security Hub, must enable the GuardDuty integration with Security Hub in each member account and Region where GuardDuty is enabled. Otherwise, the findings from GuardDuty will not be visible in Security Hub.
The other options are incorrect because:
VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC DNS logs, which are automatically enabled for all VPCs, to detect malicious or unauthorized DNS activity.
The DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses its own threat intelligence sources to identify malicious domains, regardless of the DNS resolver used by the EC2 instance.
Cross-Region aggregation in Security Hub is not relevant for this scenario, because the company operates out of a single AWS Region. Cross-Region aggregation allows Security Hub to aggregate findings from multiple Regions into a single Region.
References:
1: Managing GuardDuty accounts with AWS Organizations : Amazon GuardDuty Findings : How Amazon GuardDuty Works : Cross-Region aggregation in AWS Security Hub

A company has an organization in AWS Organizations. The company wants to use AWS CloudFormation StackSets in the organization to deploy various AWS design patterns into environments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing (ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service (Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.
Currently, the company's developers can create their own CloudFormation stacks to increase the overall speed of delivery. A centralized CI/CD pipeline in a shared services AWS account deploys each CloudFormation stack.
The company's security team has already provided requirements for each service in accordance with internal standards. If there are any resources that do not comply with the internal standards, the security team must receive notification to take appropriate action. The security team must implement a notification solution that gives developers the ability to maintain the same overall delivery speed that they currently have.
Which solution will meet these requirements in the MOST operationally efficient way?

1. A. Create an Amazon Simple Notification Service (Amazon SNS) topi
2. B. Subscribe the security team's email addresses to the SNS topi
3. C. Create a custom AWS Lambda function that will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipelin
4. D. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
5. E. Create an Amazon Simple Notification Service (Amazon SNS) topi
6. F. Subscribe the security team's email addresses to the SNS topi
7. G. Create custom rules in CloudFormation Guard for each resource configuratio
8. H. In the CllCD pipeline, before the build stage, configure a Docker image to run the cfn-guard command on the CloudFormation templat
9. I. Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues are found.
10. J. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azon Simple Queue Service (Amazon SQS) queu
11. K. Subscribe the security team's email addresses to the SNS topi
12. L. Create an Amazon S3 bucket in the shared services AWS accoun
13. M. Include an event notification to publish to the SQS queue when new objects are added to the S3 bucke
14. N. Require the de-velopers to put their CloudFormation templates in the S3 bucke
15. O. Launch EC2 instances that automatically scale based on the SQS queue dept
16. P. Con-figure the EC2 instances to use CloudFormation Guard to scan the templates and deploy the templates if there are no issue
17. Q. Configure the CllCD pipe-line to publish a notification to the SNS topic if any issues are found.
18. R. Create a centralized CloudFormation stack set that includes a standard set of resources that the developers can deploy in each AWS accoun
19. S. Configure each CloudFormation template to meet the security requirement
20. T. For any new resources or configurations, update the CloudFormation template and send the template to the security team for revie
21. . When the review is com-pleted, add the new CloudFormation stack to the repository for the devel-opers to use.

Correct Answer: B

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
2. B. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
3. C. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
4. D. For each AWS account, create tailored identity-based policies for AWS SS
5. E. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Correct Answer: C
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html#scp-eleme

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.
Which CMK-related problems possibly account for the error? (Select two.)

1. A. The CMK is used in the attempt does not exist.
2. B. The CMK is used in the attempt needs to be rotated.
3. C. The CMK is used in the attempt is using the CMK€™s key ID instead of the CMK ARN.
4. D. The CMK is used in the attempt is not enabled.
5. E. The CMK is used in the attempt is using an alias.

Correct Answer: AD
https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fa

A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensi-tive data.
A security engineer must implement a solution that prevents objects from resid-ing in the S3 bucket for longer than 72 hours.
Which solution will meet these requirements?

1. A. Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hour
2. B. Configure Macie to delete the objects that contain sensitive data when they are discovered.
3. C. Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.
4. D. Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day.Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.
5. E. Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucke
6. F. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Correct Answer: B