An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

• A.The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
• B.The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
• C.The kms:Encrypt permission is missing from the EC2 IAM role
• D.The KMS CMK key policy that enables IAM user permissions is missing

Comment: *

Name: *

Email: *

Verification: *

A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less Which AWS Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?

• A.Use an AWS KMS customer managed CMK
• B.Use an AWS managed CMK.
• C.Use an AWS KMS CMK
• D.Use Imported key material with CMK

Comment: *

Name: *

Email: *

Verification: *

You are working for a company and been allocated the task for ensuring that there is a federated authentication mechanism setup between IAM and their On-premise Active Directory. Which of the following are important steps that need to be covered in this process? Choose 2 answers from the options given below.
Please select:

• A.Ensure the right match is in place for On-premise AD Groups and IAM Roles.
• B.Ensure the right match is in place for On-premise AD Groups and IAM Groups.
• C.Configure IAM as the relying party in Active Directory
• D.Configure IAM as the relying party in Active Directory Federation services

Correct Answer: A,D

Explanation
The IAM Documentation mentions some key aspects with regards to the configuration of On-premise AD with IAM One is the Groups configuration in AD Active Directory Configuration Determining how you will create and delineate your AD groups and IAM roles in IAM is crucial to how you secure access to your account and manage resources. SAML assertions to the IAM environment and the respective IAM role access will be managed through regular expression (regex) matching between your on-premises AD group name to an IAM IAM role.
One approach for creating the AD groups that uniquely identify the IAM IAM role mapping is by selecting a common group naming convention. For example, your AD groups would start with an identifier, for example, IAM-, as this will distinguish your IAM groups from others within the organization. Next include the
12-digitIAM account number. Finally, add the matching role name within the IAM account. Here is an example:

And next is the configuration of the relying party which is IAM
ADFS federation occurs with the participation of two parties; the identity or claims provider (in this case the owner of the identity repository - Active Directory) and the relying party, which is another application that wishes to outsource authentication to the identity provider; in this case Amazon Secure Token Service (STS).
The relying party is a federation partner that is represented by a claims provider trust in the federation service.
Option B is invalid because AD groups should not be matched to IAM Groups Option C is invalid because the relying party should be configured in Active Directory Federation services For more information on the federated access, please visit the following URL:
1
https://IAM.amazon.com/blogs/security/IAM-federated-authentication-with-active-directory-federation-services- The correct answers are: Ensure the right match is in place for On-premise AD Groups and IAM Roles., Configure IAM as the relying party in Active Directory Federation services Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR
20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp?
Please select:

• A.Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
• B.Allow Inbound on port 3306 from source 20.0.0.0/16
• C.Allow Outbound on port 3306 for Destination Web Server Security Group WebSecGrp.
• D.Allow Outbound on port 80 for Destination NAT Instance IP

Correct Answer: A

Explanation
Since the Web server needs to talk to the database server on port 3306 that means that the database server should allow incoming traffic on port 3306. The below table from the aws documentation shows how the security groups should be set up.

Option B is invalid because you need to allow incoming access for the database server from the WebSecGrp security group.
Options C and D are invalid because you need to allow Outbound traffic and not inbound traffic For more information on security groups please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC
Scenario2.html
The correct answer is: Allow Inbound on port 3306 for Source Web Server Security Group WebSecGrp.
Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.
What should the Security Engineer do to meet these requirements?

• A.Configure Amazon Macie to continuously check the configuration of all S3 buckets.
• B.Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.
• C.Set up IAM Systems Manager to monitor S3 bucket policies for public write access.
• D.Enable IAM Config to check the configuration of each S3 bucket.

Comment: *

Name: *

Email: *

Verification: *