A company has retail stores The company is designing a solution to store scanned copies of customer receipts on Amazon S3 Files will be between 100 KB and 5 MB in PDF format Each retail store must have a unique encryption key Each object must be encrypted with a unique key Which solution will meet these requirements?

• A.Create a dedicated AWS Key Management Service (AWS KMS) customer managed key for each retail store Use the S3 Put operation to upload the objects to Amazon S3 Specify server-side encryption with AWS KMS keys (SSE-KMS) and the key ID of the store's key
• B.Create a new AWS Key Management Service (AWS KMS) customer managed key every day for each retail store Use the KMS Encrypt operation to encrypt objects Then upload the objects to Amazon S3
• C.Run the AWS Key Management Service (AWS KMS) GenerateDataKey operation every day for each retail store Use the data key and client-side encryption to encrypt the objects Then upload the objects to Amazon S3
• D.Use the AWS Key Management Service (AWS KMS) ImportKeyMaterial operation to import new key material to AWS KMS every day for each retail store Use a customer managed key and the KMS Encrypt operation to encrypt the objects Then upload the objects to Amazon S3

Comment: *

Name: *

Email: *

Verification: *

A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)

• A.AWS Site-to-Site VPN
• B.AWS Direct Connect
• C.AWS VPN CloudHub
• D.VPC peering
• E.NAT gateway
• F.NAT gateway is a service that allows you to enable internet access for instances in a private subnet in your AWS VPC. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for outbound traffic from your VPC.

Comment: *

Name: *

Email: *

Verification: *

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.
Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

• A.Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.
• B.Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.
• C.Create an admin IAM user with administrative privileges and delete the account root user in every account.
• D.Enable multi-factor authentication (MFA) on every account root user in all accounts.
• E.Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.
• F.Delete the access keys for the account root user in every account.

Comment: *

Name: *

Email: *

Verification: *

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

• A.Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.
• B.Add an IAM policy for the developer, which grants $3 access.
• C.Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.
• D.Add an allow list for the developer account for the $3 service.

Comment: *

Name: *

Email: *

Verification: *

A company needs to follow security best practices to deploy resources from an AWS CloudFormation template. The CloudFormation template must be able to configure sensitive database credentials.
The company already uses AWS Key Management Service (AWS KMS) and AWS Secrets Manager.
Which solution will meet the requirements?

• A.Use a parameter in the CloudFormation template to reference the database credentials. Encrypt the CloudFormation template by using AWS KMS.
• B.Use a SecureString parameter in the CloudFormation template to reference an encrypted value in AWS KMS
• C.Use a SecureString parameter in the CloudFormation template to reference the database credentials in Secrets Manager.
• D.Use a dynamic reference in the CloudFormation template to reference the database credentials in Secrets Manager.

Comment: *

Name: *

Email: *

Verification: *