- (Exam Topic 2)
An organization is using IAM CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

1. A. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
2. B. In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
3. C. In SNS, ensure that the subscription used by these alerts has not been deleted.
4. D. In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

Correct Answer: C

- (Exam Topic 4)
A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.
How should the security engineer build the MOST secure solution?

1. A. Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header
2. B. Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.
3. C. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.
4. D. Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP
5. E. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Correct Answer: D

- (Exam Topic 4)
A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.
The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create an IAM group for each application tea
2. B. Associate policies with each IAM grou
3. C. Provision IAM users for each application team membe
4. D. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).
5. E. Delegate application team leads to provision IAM rotes for each tea
6. F. Conduct a quarterly review of the IAM rotes the team leads have provisione
7. G. Ensure that the application team leads have the appropriatetraining to review IAM roles.
8. H. Put each AWS account in its own O
9. I. Add an SCP to each OU to grant access to only the AWS services that the teams plan to us
10. J. Include conditions tn the AWS account of each team.
11. K. Create an SCP and a permissions boundary for IAM role
12. L. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Correct Answer: D
To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:
Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles. For more information, see Service control policies overview.
Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. For more information, see Permissions boundaries for IAM entities.
Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization.
This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.
Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.
This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.
The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible ©.
Verified References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

- (Exam Topic 4)
An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

1. A. Turn on IAM CloudTrail in each IAM account
2. B. Turn on CloudTrail in only the account that will be storing the logs
3. C. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
4. D. Create a service-based role for CloudTrail and associate it with CloudTrail in each account
5. E. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Correct Answer: AE

- (Exam Topic 2)
The Security Engineer created a new IAM Key Management Service (IAM KMS) key with the following key policy:

What are the effects of the key policy? (Choose two.)

1. A. The policy allows access for the IAM account 111122223333 to manage key access though IAM policies.
2. B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
3. C. The policy allows the root user in account 111122223333 to have full access to the KMS key.
4. D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
5. E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

Correct Answer: AC
Giving the IAM account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so.
https://docs.IAM.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enabl