A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.
What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

1. A. Enable Amazon GuardDuty in all Region
2. B. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.
3. C. Use an organization in IAM Organization
4. D. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.
5. E. Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipelin
6. F. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.
7. G. Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Correct Answer: C

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.
Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

1. A. Delete the access keys for the account root user in every account.
2. B. Create an admin IAM user with administrative privileges and delete the account root user in every account.
3. C. Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.
4. D. Enable multi-factor authentication (MFA) on every account root user in all accounts.
5. E. Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
6. F. Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Correct Answer: ADE
because these are the actions that can improve IAM account root user security. IAM account root user is a user that has complete access to all AWS resources and services in an account. IAM account root user security is a set of best practices that help protect the account root user from unauthorized or accidental use. Deleting the access keys for the account root user in every account can help prevent programmatic access by the account root user, which reduces the risk of compromise or misuse. Enabling MFA on every account root user in all accounts can help add an extra layer of security for console access by requiring a verification code in addition to a password. Creating a custom IAM policy to limit permissions to required actions for the account root user and attaching the policy to the account root user can help enforce the principle of least privilege and restrict the account root user from performing unnecessary or dangerous actions. The other options are either invalid or ineffective for improving IAM account root user security.

A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.
The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.
Which solution meets these requirements?

1. A. Create an AWS WAF rate-based rule, and attach it to the ALB.
2. B. Update the security group that is attached to the ALB to block the attacking IP addresses.
3. C. Update the ALB subnet's network ACL to block the attacking client IP addresses.
4. D. Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

Correct Answer: A

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tables
The application must
• Include migration to a different IAM Region in the application disaster recovery plan.
• Provide a full audit trail of encryption key administration events
• Allow only company administrators to administer keys.
• Protect data at rest using application layer encryption
A Security Engineer is evaluating options for encryption key management
Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

1. A. The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
2. B. CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
3. C. The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
4. D. CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

Correct Answer: B
CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a
multi-tenant key storage that is owned and managed by AWS1.
References: 1: What are the differences between AWS Cloud HSM and KMS?

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.
Which additional steps should the Security Engineer lake 10 meet this requirement?

1. A. Configure the Amazon inspector agent to use the CVE rule package
2. B. Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy
3. C. Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy
4. D. Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Correct Answer: D
you need to configure the Amazon Inspector agent to use the CVE rule package, which is a set of rules that check for vulnerabilities and exposures on your EC2 instances5. You also need to install an additional integration library that enables communication between the Amazon Inspector agent and Security
Hub6. Security Hub is a service that provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices7. The other options are either incorrect or incomplete for meeting the requirement.