You currently have an S3 bucket hosted in an AWS Account. It holds information that needs be accessed by a partner account. Which is the MOST secure way to allow the partner account to access the S3 bucket in your account? Select 3 options.
Please select:

• A.Ensure an 1AM role is created which can be assumed by the partner account.
• B.Ensure an 1AM user is created which can be assumed by the partner account.
• C.Ensure the partner uses an external id when making the request
• D.Provide the ARN for the role to the partner account
• E.Provide the Account Id to the partner account
• F.Provide access keys for your account to the partner account

Correct Answer: A,C,D

Explanation
Option B is invalid because Roles are assumed and not 1AM users
Option E is invalid because you should not give the account ID to the partner Option F is invalid because you should not give the access keys to the partner The below diagram from the AWS documentation showcases an example on this wherein an 1AM role and external ID is us> access an AWS account resources

For more information on creating roles for external ID'S please visit the following URL:
The correct answers are: Ensure an 1AM role is created which can be assumed by the partner account. Ensure the partner uses an external id when making the request Provide the ARN for the role to the partner account Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

• A.email-pop3.us-east-1.amazonaws.com over port 995
• B.email-smtp.us-east-1.amazonaws.com over port 587
• C.email.us-east-1.amazonaws.com over port 8080
• D.email-imap.us-east-1.amazonaws.com over port 993

Comment: *

Name: *

Email: *

Verification: *

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running In Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns Which solution would have the MOST scalability and LOWEST latency?

• A.Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers
• B.Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
• C.Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers
• D.Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers

Comment: *

Name: *

Email: *

Verification: *

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

• A.Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
• B.Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• C.Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• D.Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.

Comment: *

Name: *

Email: *

Verification: *

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

• A.Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
• B.Use a host-based firewall to prevent access from all but the organization's firewall IP.
• C.Use network access control lists to block source IP addresses matching 0.0.0.0/0.
• D.Delete the internet gateway associated with the VPC.

Comment: *

Name: *

Email: *

Verification: *