A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented Which statement should the security specialist include in the policy?

• A.
• B.
• C.
• D.

Comment: *

Name: *

Email: *

Verification: *

The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider.
Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?

• A.Amazon Cognito
• B.AssumeRoleWithWebIdentity API
• C.Amazon Cloud Directory
• D.Active Directory (AD) Connector

Comment: *

Name: *

Email: *

Verification: *

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

• A.Turn on CloudTrail in only the account that will be storing the logs
• B.Turn on AWS CloudTrail in each AWS account
• C.Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
• D.Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
• E.Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Comment: *

Name: *

Email: *

Verification: *

An employee keeps terminating EC2 instances on the production environment. You've determined the best way to ensure this doesn't happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances? Choose the 2 correct answers from the options below Please select:

• A.Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag. <
• B.Tag the instance with a production-identifying tag and modify the employees group to allow only start stop, and reboot API calls and not the terminate instance call.
• C.Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee
• D.Modify the IAM policy on the user to require MFA before deleting EC2 instances

Comment: *

Name: *

Email: *

Verification: *

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

• A.Enable automatic key rotation annually for the CMK.
• B.Use IAM Command Line Interface to create an IAM Lambda function to rotate the existing CMK annually.
• C.Import new key material to the existing CMK and manually rotate the CMK.
• D.Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Comment: *

Name: *

Email: *

Verification: *