A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.
How can the security engineer implement this solution?

1. A. Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VP
2. B. Add a new network ACL rule on the database subnet
3. C. Configure the rule to TCP port 1521 from the IP address range of the application VP
4. D. Attach the new security group to the database instances that the application instances need to access.
5. E. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
6. F. Create a new security group in the application VPC with no inbound rule
7. G. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VP
8. H. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
9. I. Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnet
10. J. Configure the rule to allow all traffic from the IP address range of the application VP
11. K. Attach the new security group to the application instances that need database access.

Correct Answer: C

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.
When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."
Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

1. A. Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.
2. B. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.
3. C. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.
4. D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.
5. E. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.

Correct Answer: AC

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.
How can a security engineer meet this requirement?

1. A. Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).
2. B. Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).
3. C. Create an HTTPS listener that uses the Server Order Preference security feature.
4. D. Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Correct Answer: A

A security engineer is using AWS Organizations and wants to optimize SCPs. The security engineer needs to ensure that the SCPs conform to best practices.
Which approach should the security engineer take to meet this requirement?

1. A. Use AWS IAM Access Analyzer to analyze the policie
2. B. View the findings from policy validation checks.
3. C. Review AWS Trusted Advisor checks for all accounts in the organization.
4. D. Set up AWS Audit Manage
5. E. Run an assessment for all AWS Regions for all accounts.
6. F. Ensure that Amazon Inspector agents are installed on all Amazon EC2 in-stances in all accounts.

Correct Answer: A

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API
Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

1. A. Create a custom authorization service using AWS Lambda.
2. B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
3. C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
4. D. Configure an Amazon Cognito identity pool to integrate with social login providers.
5. E. Update DynamoDB to store the user email addresses and passwords.
6. F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Correct Answer: BCF
The combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs are:
B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. This is a necessary step to federate the existing users from the SAML identity provider to the Amazon Cognito user pool, which will be used for authentication and authorization1.
C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party. This is a necessary step to establish a trust relationship between the SAML identity provider and the Amazon Cognito user pool, which will allow the users to sign in using their existing credentials2.
F. Update API Gateway to use a COGNITO_USER_POOLS authorizer. This is a necessary step to enable API Gateway to use the Amazon Cognito user pool as an authorizer for the RESTful services, which will validate the identity or access tokens that are issued by Amazon Cognito when a user signs in successfully3.
The other options are incorrect because:
A. Creating a custom authorization service using AWS Lambda is not a necessary step, because Amazon Cognito user pools can provide built-in authorization features, such as scopes and groups, that can be used to control access to API resources4.
D. Configuring an Amazon Cognito identity pool to integrate with social login providers is not a necessary step, because the users already exist in a directory that is exposed through a SAML identity provider, and there is no requirement to support social login providers5.
E. Updating DynamoDB to store the user email addresses and passwords is not a necessary step, because the user credentials are already stored in the SAML identity provider, and there is no need to duplicate them in DynamoDB6.
References:
1: Using Tokens with User Pools 2: Adding SAML Identity Providers to a User Pool 3: Control Access to a REST API Using Amazon Cognito User Pools as Authorizer 4: API Authorization with Resource Servers and OAuth 2.0 Scopes 5: Using Identity Pools (Federated Identities) 6: Amazon DynamoDB