A company plans to use custom AMIs to launch Amazon EC2 instances across multiple IAM accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed IAM KMS CMK.
The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

• A.Create a customer-managed CMK or an IAM managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
• B.Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy.
  Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
• C.Create a customer-managed CMK or an IAM managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
• D.Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy.
  Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.

Comment: *

Name: *

Email: *

Verification: *

An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24- hour timeframe to keep it from being used for encrypt or decrypt operations.
Which of the following actions will address this requirement?

• A.Manually rotate a key within KMS to create a new CMK immediately.
• B.Use the KMS import key functionality to execute a delete key operation.
• C.Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
• D.Change the KMS CMK alias to immediately prevent any services from using the CMK.

Comment: *

Name: *

Email: *

Verification: *

A company has decided to migrate sensitive documents from on-premises data centers to Amazon S3. Currently, the hard drives are encrypted to meet a compliance requirement regarding data encryption. The CISO wants to improve security by encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key.
Which of the following requires the LEAST amount of configuration when implementing this approach?

• A.Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data
• B.Place each file into a different S3 bucket. Set the default encryption of each bucket to use a different AWS KMS customer managed key.
• C.Use the S3 encryption client to encrypt each file individually using S3-generated data keys
• D.Put all the files in the same S3 bucket. Using S3 events as a trigger, write an AWS Lambda function to encrypt each file as it is added using different AWS KMS data keys.

Comment: *

Name: *

Email: *

Verification: *

A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses.
Which solution will meet these requirements?

• A.Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
• B.Add a rule to all security groups to deny the incoming requests from the IP address range.
• C.Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
• D.Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition

Comment: *

Name: *

Email: *

Verification: *

A Security Engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.
The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the Development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.
The Security Engineer has verified the following:
1. The rule set in the Security Groups is correct
2. The rule set in the network ACLs is correct
3. The rule set in the virtual appliance is correct
Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

• A.Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.
• B.Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
• C.Verify which Security Group is applied to the particular web server's elastic network interface (ENI).
• D.Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
• E.Verify the registered targets in the ALB.

Comment: *

Name: *

Email: *

Verification: *