Which of the following is not a best practice for carrying out a security audit?
Please select:

• A.Conduct an audit on a yearly basis
• B.Conduct an audit if application instances have been added to your account
• C.Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
• D.Whenever there are changes in your organization

Comment: *

Name: *

Email: *

Verification: *

An Incident Response team is investigating an AWS access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the future
Which controls should the company implement to achieve this? {Select TWO.)

• A.Enable VPC Flow Logs in all VPCs Create a scheduled AWS Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.
• B.Use AWS CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files
• C.Add the following bucket policy to the company's AWS CloudTrail bucket to prevent log tampering
  {
  "Version": "2012-10-17-,
  "Statement": {
  "Effect": "Deny",
  "Action": "s3:PutObject",
  "Principal": "-",
  "Resource": "arn:aws:s3:::cloudtrail/AWSLogs/111122223333/*"
  }
  }
  Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.
• D.Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.
• E.Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Comment: *

Name: *

Email: *

Verification: *

An organization wants to log all AWS API calls made within all of its AWS accounts, and must have a central place to analyze these logs.
What steps should be taken to meet these requirements in the MOST secure manner? (Choose two.)

• A.Create a service-based role for CloudTrail and associate it with CloudTrail in each account.
• B.Turn on AWS CloudTrail in each AWS account.
• C.Turn on CloudTrail in only the account that will be storing the logs.
• D.Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it.
• E.Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it.

Comment: *

Name: *

Email: *

Verification: *

A company has an AWS account and allows a third-party contractor, who uses another AWS account, to assume certain IAM roles. The company wants to ensure that IAM roles can be assumed by the contractor only if the contractor has multi-factor authentication enabled on their IAM user accounts.
What should the company do to accomplish this?

• A.Add the following condition to the IAM policy attached to all IAM roles:
  "Effect": "Deny",
  "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }
• B.Add the following condition to the IAM policy attached to all IAM roles:
  "Effect": "Deny",
  "Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : false } }
• C.Add the following condition to the IAM policy attached to all IAM roles:
  "Effect": "Allow",
  "Condition" : { "Null" : { "aws:MultiFactorAuthPresent" : false } }
• D.Add the following condition to the IAM policy attached to all IAM roles:
  "Effect": "Allow",
  "Condition" : { "BoolItExists" : { "aws:MultiFactorAuthPresent" : false } }

Comment: *

Name: *

Email: *

Verification: *

You have a requirement to serve up private content using the keys available with Cloudfront. How can this be achieved?
Please select:

• A.Add the keys to the backend distribution.
• B.Add the keys to the S3 bucket
• C.Create pre-signed URL's
• D.Use AWS Access keys

Comment: *

Name: *

Email: *

Verification: *