A company plans to move most of its IT infrastructure to AWS. The company wants to leverage its existing on-premises Active Directory as an identity provider for AWS.
Which steps should be taken to authenticate to AWS services using the company's on-premises Active Directory? (Choose three).

• A.Create IAM roles with permissions corresponding to each Active Directory group.
• B.Create IAM groups with permissions corresponding to each Active Directory group.
• C.Create a SAML provider with IAM.
• D.Create a SAML provider with Amazon Cloud Directory.
• E.Configure AWS as a trusted relying party for the Active Directory
• F.Configure IAM as a trusted relying party for Amazon Cloud Directory.

Comment: *

Name: *

Email: *

Verification: *

An external Auditor finds that a company's user passwords have no minimum length. The company is currently using two identity providers:
* AWS IAM federated with on-premises Active Directory
* Amazon Cognito user pools to accessing an AWS Cloud application developed by the company Which combination o1 actions should the Security Engineer take to solve this issue? (Select TWO.)

• A.Enforce an IAM policy In Amazon Cognito and AWS IAM with a minimum password length condition.
• B.Create an SCP with AWS Organizations that enforces a minimum password length for AWS IAM and Amazon Cognito.
• C.Update the password length policy In the on-premises Active Directory configuration.
• D.Update the password length policy in the Amazon Cognito configuration.
• E.Update the password length policy In the IAM configuration.

Comment: *

Name: *

Email: *

Verification: *

Your company uses IAM to host its resources. They have the following requirements
1) Record all API calls and Transitions
2) Help in understanding what resources are there in the account
3) Facility to allow auditing credentials and logins Which services would suffice the above requirements Please select:

• A.IAM Inspector, CloudTrail, IAM Credential Reports
• B.CloudTrail. IAM Credential Reports, IAM SNS
• C.CloudTrail, IAM Config, IAM Credential Reports
• D.IAM SQS, IAM Credential Reports, CloudTrail

Comment: *

Name: *

Email: *

Verification: *

A corporate cloud security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints.
Which combination of the following actions MOST satisfies this requirement? (Choose two.)

• A.Add the aws:sourceVpcecondition to the AWS KMS key policy referencing the company's VPC endpoint ID.
• B.Remove the VPC internet gateway from the VPC and add a virtual private gateway to the VPC to prevent direct, public internet connectivity.
• C.Create a VPC endpoint for AWS KMS with private DNS enabled.
• D.Use the KMS Import Key feature to securely transfer the AWS KMS key over a VPN.
• E.Add the following condition to the AWS KMS key policy: "aws:SourceIp": "10.0.0.0/16".

Comment: *

Name: *

Email: *

Verification: *

Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?
Please select:

• A.Grant public access for the bucket via the bucket policy
• B.Use the aws:Referer key in the condition clause for the bucket policy
• C.Use the aws:sites key in the condition clause for the bucket policy
• D.Grant a role that can be assumed by the web site

Correct Answer: B

Explanation
An example of this is given intheAWS Documentatioi
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.

Option A is invalid because giving public access is not a secure way to provide access Option C is invalid because aws:sites is not a valid condition key Option D is invalid because 1AM roles will not be assigned to web sites For more information on example bucket policies please visit the below Link:
1 https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html The correct answer is: Use the aws:Referer key in the condition clause for the bucket policy Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *