A company wants to adopt a methodology for handling security threats from leaked and compromised IAM access keys. The DevOps Engineer has been asked to automate the process of acting upon compromised access keys, which includes identifying users, revoking their permissions, and sending a notification to the Security team.
Which of the following would achieve this goal?

• A.Use the AWS Trusted Advisor generated security report for access keys. Use Amazon EMR to run analytics on the report. Identify compromised IAM access keys and delete them. Use Amazon CloudWatch with an EMR Cluster State Change event to notify the Security team.
• B.Use AWS Trusted Advisor to identify compromised access keys. Create an Amazon CloudWatch Events rule with Trusted Advisor as the event source, and AWS Lambda and Amazon SNS as targets. Use AWS Lambda to delete compromised IAM access keys and Amazon SNS to notify the Security team.
• C.Use the AWS Trusted Advisor generated security report for access keys. Use AWS Lambda to scan through the report. Use scan result inside AWS Lambda and delete compromised IAM access keys. Use Amazon SNS to notify the Security team.
• D.Use AWS Lambda with a third-party library to scan for compromised access keys. Use scan result inside AWS Lambda and delete compromised IAM access keys. Create Amazon CloudWatch custom metrics for compromised keys. Create a CloudWatch alarm on the metrics to notify the Security team.

Comment: *

Name: *

Email: *

Verification: *

Your development team wants account-level access to production instances in order to do live debugging of a highly secure environment. Which of the following should you do?

• A.Place each developer's own public key into a private S3 bucket, use instance profiles and configuration management to create a user account for each developer on all instances, and place the user's public keys into the appropriate account.
• B.Place the credentials provided by Amazon Elastic Compute Cloud (EC2) into a secure Amazon Sample Storage Service (S3) bucket with encryption enabled. Assign AWS Identity and Access Management (IAM) users to each developer so they can download the credentials file.
• C.Place an internally created private key into a secure S3 bucket with server-side encryption using customer keys and configuration management, create a service account on all the instances using this private key, and assign IAM users to each developer so they can download the file.
• D.Place the credentials provided by Amazon EC2 onto an MFA encrypted USB drive, and physically share it with each developer so that the private key never leaves the office.

Comment: *

Name: *

Email: *

Verification: *

An application stack includes an Elastic Load Balancer in a public subnet, a fleet of Amazon EC2 instances in
an Auto Scaling group, and an Amazon RDS MySQL cluster. Users connect to the application from the
Internet. The application servers and database must be secure.
How should a Solutions Architect perform this task?

• A.Create a public subnet for the Amazon EC2 instances and a private subnet for the Amazon RDS cluster.
• B.Create a public subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS cluster.
• C.Create a private subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS cluster.
• D.Create a private subnet for the Amazon EC2 instances and a private subnet for the Amazon RDS cluster.

Comment: *

Name: *

Email: *

Verification: *

When logging with Amazon CloudTrail, API call information for services with single end points is
____.

• A.captured in the same region as to which the API call is made and processed and delivered to the region associated with your Amazon S3 bucket
• B.captured and processed in the same region as to which the API call is made and delivered to the region associated with your Amazon S3 bucket
• C.captured, processed, and delivered to the region associated with your Amazon S3 bucket
• D.captured in the region where the end point is located, processed in the region where the CloudTrail trail is configured, and delivered to the region associated with your Amazon S3 bucket

Comment: *

Name: *

Email: *

Verification: *

A company wants to use Amazon ECS to provide a Docker container runtime environment. For compliance reasons, all Amazon EBS volumes used in the ECS cluster must be encrypted. Rolling updates will be made to the cluster instances and the company wants the instances drained of all tasks before being terminated.
How can these requirements be met? (Choose two.)

• A.Create an Auto Scaling lifecycle hook backed by an AWS Lambda function that uses the AWS SDK to mark a terminating instance as DRAINING. Prevent the lifecycle hook from completing until the running tasks on the instance are zero.
• B.Use AWS CodePipeline to build a pipeline that discovers the latest Amazon-provided ECS AMI, then copies the image to an encrypted AMI outputting the encrypted AMI ID. Use the encrypted AMI ID when deploying the cluster.
• C.Create an IAM role that allows the action ECS::EncryptedImage. Configure the AWS CLI and a profile to use this role. Start the cluster using the AWS CLI providing the --use-encrypted-imageand --kms- keyarguments to the create-clusterECS command.
• D.Copy the default AWS CloudFormation template that ECS uses to deploy cluster instances. Modify the template resource EBS configuration setting to set 'Encrypted: True' and include the AWS KMS alias: 'aws/ ebs' to encrypt the AMI.
• E.Modify the default ECS AMI user data to create a script that executes docker rm -f {id}for all running container instances. Copy the script to the /etc/init.d/rc.d directory and execute chconfigenabling the script to run during operating system shutdown.

Comment: *

Name: *

Email: *

Verification: *