A company deployed AWS Organizations to help manage its increasing number of AWS accounts. A security engineer wants to ensure only principals in the Organization structure can access a specific Amazon S3 bucket. The solution must also minimize operational overhead
Which solution will meet these requirements?

• A.Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.
• B.1 Put all users into an IAM group with an access policy granting access to the J bucket.
• C.Have the account creation trigger an AWS Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.
• D.Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Comment: *

Name: *

Email: *

Verification: *

An organization has tens of applications deployed on thousands of Amazon EC2 instances. During testing, the Application team needs information to let them know whether the network access control lists (network ACLs) and security groups are working as expected.
How can the Application team's requirements be met?

• A.Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
• B.Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• C.Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
• D.Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.

Comment: *

Name: *

Email: *

Verification: *

A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:

• A.Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting AWS with on-premise active directory.
• B.Create 1AM policies that can be mapped to group memberships in the corporate directory.
• C.Create a Lambda function to assign 1AM roles to the temporary security tokens provided to the users.
• D.Create 1AM users that can be mapped to the employees' corporate identities
• E.Create an 1AM role that establishes a trust relationship between 1AM and the corporate directory identity provider (IdP)

Correct Answer: A,E

Create a Direct Connect connection so that corporate users can access the AWS account Option B is incorrect because 1AM policies are not directly mapped to group memberships in the corporate directory. It is 1AM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because 1AM users are not directly mapped to employees' corporate identities.
For more information on Direct Connect, please refer to below URL:
' https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place Configure permissions in AWS for your federated users The next step is to create an 1AM role that establishes a trust relationship between 1AM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in AWS. You can use the 1AM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in 1AM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the AWS Management Console. The trust policy for the role might look like this:

For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
* At least two subnets. Each of the subnets must be in a different Availability Zone.
* The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect.
* The VPC must have default hardware tenancy.
* https://aws.amazon.com/single-sign-on/
* https://aws.amazon.com/single-sign-on/faqs/
* https://aws.amazon.com/bloj using-corporate-credentials/
* https://docs.aws.amazon.com/directoryservice/latest/admin-
The correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD connector connecting AWS with on-premise active directory.. Create an 1AM role that establishes a trust relationship between 1AM and corporate directory identity provider (IdP) Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

• A.AWS IAM users
• B.AWS IAM access keys
• C.AWS IAM roles
• D.AWS IAM groups

Comment: *

Name: *

Email: *

Verification: *

A company's database developer has just migrated an Amazon RDS database credential to be stored and managed by AWS Secrets Manager. The developer has also enabled rotation of the credential within the Secrets Manager console and set the rotation to change every 30 days.
After a short period of time, a number of existing applications have failed with authentication errors.
What is the MOST likely cause of the authentication errors?

• A.Enabling rotation in Secrets Manager causes the secret to rotate immediately, and the applications are using the earlier credential.
• B.The Secrets Manager IAM policy does not allow access to the RDS database.
• C.The Secrets Manager IAM policy does not allow access for the applications.
• D.Migrating the credential to RDS requires that all access come through requests to the Secrets Manager.

Comment: *

Name: *

Email: *

Verification: *