A company has implemented centralized logging and monitoring of AWS CloudTrail logs from all Regions in an Amazon S3 bucket. The log Hies are encrypted using AWS KMS. A Security Engineer is attempting to review the log files using a third-party tool hosted on an Amazon EC2 instance The Security Engineer is unable to access the logs in the S3 bucket and receives an access denied error message What should the Security Engineer do to fix this issue?

• A.Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
• B.Check that the role the EC2 instance profile uses grants permission lo decrypt objects using the KMS CMK and gives access to the S3 bucket and objects
• C.Check that the role the EC2 instance profile uses grants permission to decrypt objects using the KMS CMK
• D.Check that the role the Security Engineer uses grants permission to decrypt objects using the KMS CMK.

Comment: *

Name: *

Email: *

Verification: *

A company maintains sensitive data in an Amazon S3 bucket that must be protected using an AWS KMS CMK. The company requires that keys be rotated automatically every year.
How should the bucket be configured?

• A.Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select a customer-managed CMK that has imported key material.
• B.Select server-side encryption with AWS KMS-managed keys (SSE-KMS) and select an alias to an AWS-managed CMK.
• C.Select Amazon S3-AWS KMS managed encryption keys (S3-KMS) and select a customer-managed CMK with key rotation enabled.
• D.Select server-side encryption with Amazon S3-managed keys (SSE-S3) and select an AWS-managed CMK.

Comment: *

Name: *

Email: *

Verification: *

Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the internet. The connection either fails to respond or generates the following error message:
Network error: Connection timed out.
What could be responsible for the connection failure? (Select THREE )

• A.The security group denies outbound traffic on ephemeral ports
• B.The host-based firewall is denying SSH traffic
• C.The route table is missing a route to the internet gateway
• D.The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured
• E.The NACL denies outbound traffic on ephemeral ports
• F.The internet gateway of the VPC has been reconfigured

Comment: *

Name: *

Email: *

Verification: *

Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the best description of a bastion host from a security perspective?
Please select:

• A.A Bastion host should be on a private subnet and never a public subnet due to security concerns
• B.A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
• C.Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
• D.A Bastion host should maintain extremely tight security and monitoring as it is available to the public

Comment: *

Name: *

Email: *

Verification: *

A company stores critical data in an S3 bucket. There is a requirement to ensure that an extra level of security is added to the S3 bucket. In addition , it should be ensured that objects are available in a secondary region if the primary one goes down. Which of the following can help fulfil these requirements? Choose 2 answers from the options given below Please select:

• A.Enable bucket versioning and also enable CRR
• B.Enable bucket versioning and enable Master Pays
• C.For the Bucket policy add a condition for {"Null": {"aws:MultiFactorAuthAge": true}} i
• D.Enable the Bucket ACL and add a condition for {"Null": {"aws:MultiFactorAuthAge": true}}

Correct Answer: A,C

The AWS Documentation mentions the following
Adding a Bucket Policy to Require MFA
Amazon S3 supports MFA-protected API access, a feature that can enforce multi-factor authentication (MFA) for access to your Amazon S3 resources. Multi-factor authentication provides an extra level of security you can apply to your AWS environment. It is a security feature that requires users to prove physical possession of an MFA device by providing a valid MFA code. For more information, go to AWS Multi-Factor Authentication. You can require MFA authentication for any requests to access your Amazoi. S3 resources.
You can enforce the MFA authentication requirement using the aws:MultiFactorAuthAge key in a bucket policy. IAM users car access Amazon S3 resources by using temporary credentials issued by the AWS Security Token Service (STS). You provide the MFA code at the time of the STS request.
When Amazon S3 receives a request with MFA authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy. The policy denies any Amazon S3 operation on the /taxdocuments folder in the examplebucket bucket if the request is not MFA authenticated. To learn more about MFA authentication, see Using Multi-Factor Authentication (MFA) in AWS in the IAM User Guide.

Option B is invalid because just enabling bucket versioning will not guarantee replication of objects Option D is invalid because the condition for the bucket policy needs to be set accordingly For more information on example bucket policies, please visit the following URL: * https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html Also versioning and Cross Region replication can ensure that objects will be available in the destination region in case the primary region fails.
For more information on CRR, please visit the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
The correct answers are: Enable bucket versioning and also enable CRR, For the Bucket policy add a condition for {"Null": { "aws:MultiFactorAuthAge": true}} Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *