A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

• A.The ACL in the bucket needs to be updated
• B.The IAM policy does not allow the user to access the bucket
• C.It takes a few minutes for a bucket policy to take effect
• D.The allow permission is being overridden by the deny

Comment: *

Name: *

Email: *

Verification: *

An application developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2 KB Which key policy would allow the application to do this while granting least privilege?

• A.Option A
• B.Option C
• C.Option B
• D.Option D

Comment: *

Name: *

Email: *

Verification: *

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.
Please select:

• A.A
  
• B.B
  
• C.C
  
• D.D
  

Correct Answer: A

The condition of "s3:x-amz-server-side-encryption":"aws:kms" ensures that objects uploaded need to be encrypted.
Options B,C and D are invalid because you have to ensure the condition of ns3:x-amz-server-side-encryption":"aws:kms" is present For more information on AWS KMS best practices, just browse to the below URL:
https://dl.awsstatic.com/whitepapers/aws-kms-best-praaices.pdf

Submit your Feedback/Queries to our Expert

Comment: *

Name: *

Email: *

Verification: *

An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below Please select:

• A.Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary 1AM account that can assume a read-only role in the secondary AWS accounts.
• B.Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.
• C.Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.
• D.Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS bucket in the primary account and erant the auditor access to that single bucket in the orimarv account.

Comment: *

Name: *

Email: *

Verification: *

An organization is moving non-business-critical applications to IAM while maintaining a mission-critical application in an on-premises data center. An on-premises application must share limited confidential information with the applications in IAM. The internet performance is unpredictable.
Which configuration will ensure continued connectivity between sites MOST securely?

• A.VPN and a cached storage gateway
• B.IAM Snowball Edge
• C.VPN Gateway over IAM Direct Connect
• D.IAM Direct Connect

Comment: *

Name: *

Email: *

Verification: *