Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

1. A. On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume
2. B. Configure an IAM Config rule lo run on a recurring basis 'or volume encryption
3. C. Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule
4. D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Correct Answer: B
To support answer B, use the reference https://d1.IAMstatic.com/whitepapers/IAM-security-whitepaper.pdf "For example, IAM Config provides a managed IAM Config Rules to ensure that encryption is turned on for
all EBS volumes in your account."

A company is using an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so
Which solution will meet these requirements?

1. A. Create a new customer managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
2. B. Create a new AWS managed key Add a key rotation schedule to the key Invoke the key rotation schedule every time the security team requests a key change
3. C. Create a key alias Create a new customer managed key every time the security team requests a key change Associate the alias with the new key
4. D. Create a key alias Create a new AWS managed key every time the security team requests a key change Associate the alias with the new key

Correct Answer: A
To meet the requirement of changing the key material for new files whenever a potential key breach occurs, the most appropriate solution would be to create a new customer managed key, add a key rotation schedule to the key, and invoke the key rotation schedule every time the security team requests a key change.
References: : Rotating AWS KMS keys - AWS Key Management Service

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.
What should a security engineer do to configure access to these EC2 instances to meet these requirements?

1. A. Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucke
2. B. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrato
3. C. Provide an IAM policy that allows the IAM account to use the EC2 serial console.
4. D. Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Log
5. E. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrato
6. F. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.
7. G. Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SS
8. H. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Log
9. I. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.
10. J. Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucke
11. K. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instance
12. L. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

Correct Answer: D
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under S3 logging. (Recommended) Select the check box next to Allow only encrypted S3 buckets. With this option turned on, log data is encrypted using the server-side encryption key specified for the bucket. If you don't want to encrypt the log data that is sent to Amazon S3, clear the check box. You must also clear the check box if encryption isn't allowed on the S3 bucket.

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.
What is the FASTEST way for the security engineer to identify the federated user?

1. A. Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.
2. B. Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM rol
3. C. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.
4. D. Search the IAM CloudTrail logs for the Terminatelnstances event and note the event tim
5. E. Review the IAM Access Advisor tab for all federated role
6. F. The last accessed time should match the time when the instance was terminated.
7. G. Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances even
8. H. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Correct Answer: B
The fastest way to identify the federated user who terminated a production Amazon EC2 instance is to filter the IAM CloudTrail event history for the TerminateInstances event and identify the assumed IAM role. Then, review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username. This method does not require any additional tools or queries, and it directly links the IAM role with the federated user.
Option A is incorrect because the role session name may not be the same as the federated user name, and it may not be unique or descriptive enough to identify the user.
Option C is incorrect because the IAM Access Advisor tab only shows when a role was last accessed, not by whom or for what purpose. It also does not show the specific time of access, only the date.
Option D is incorrect because using Amazon Athena to run SQL queries on the IAM CloudTrail logs is not the fastest way to identify the federated user, as it requires creating a table schema and running multiple queries. It also assumes that the federation is done using web identity providers, not SAML providers, as indicated by the AssumeRoleWithWebIdentity event.
References:
AWS Identity and Access Management
Logging AWS STS API Calls with AWS CloudTrail
[Using Amazon Athena to Query S3 Data for CloudTrail Analysis]

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?
Please select:

1. A. Use Cloudwatch logs to monitor the activity on the Security Group
2. B. Use filters to search for the changes and use SNS for the notification.
3. C. Use Cloudwatch metrics to monitor the activity on the Security Group
4. D. Use filters to search for the changes and use SNS for the notification.
5. E. Use IAM inspector to monitor the activity on the Security Group
6. F. Use filters to search for the changes and use SNS f the notification.
7. G. Use Cloudwatch events to be triggered for any changes to the Security Group
8. H. Configure the Lambda function for email notification as well.

Correct Answer: D
The below diagram from an IAM blog shows how security groups can be monitored
C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A is invalid because you need to use Cloudwatch Events to check for chan, Option B is invalid because you need to use Cloudwatch Events to check for chang
Option C is invalid because IAM inspector is not used to monitor the activity on Security Groups For more information on monitoring security groups, please visit the below URL:
Ihttpsy/IAM.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-t 'pc-security-groups/
The correct answer is: Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.
Submit your Feedback/Queries to our Experts