With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket?

A.

Deny Post. Put. and Delete on the bucket.

B.

Enable server-side encryption on the bucket.

C.

Enable Amazon S3 versioning on the bucket.

D.

Enable snapshots on the bucket.

An Amazon EC2 instance is running an application that uses Amazon Simple Queue
Service (Amazon SQS} queues A SysOps administrator must ensure that the application
can read, write, and delete messages from the SQS queues
Which solution will meet these requirements in the MOST secure manner?

A.

Create an IAM user with an IAM policy that allows the sqs SendMessage permission,
the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the
appropriate queues Embed the IAM user's credentials in the application's configuration

B.

Create an IAM user with an IAM policy that allows the sqs SendMessage permission,
the sqs ReceiveMessage permission, and the sqs DeleteMessage permission to the
appropriate queues Export the IAM user's access key and secret access key as
environment variables on the EC2 instance

C.

Create and associate an IAM role that allows EC2 instances to call AWS services Attach
an IAM policy to the role that allows sqs." permissions to the appropriate queues

D.

Create and associate an IAM role that allows EC2 instances to call AWS services Attach
an IAM policy to the role that allows the sqs SendMessage permission, the sqs
ReceiveMessage permission, and the sqs DeleteMessage permission to the appropriate
queues

A company stores files on 50 Amazon S3 buckets in the same AWS Region The company
wants to connect to the S3 buckets securely over a private connection from its Amazon
EC2 instances The company needs a solution that produces no additional cost
Which solution will meet these requirements?

A.

Create a gateway VPC endpoint lor each S3 bucket Attach the gateway VPC endpoints to each subnet inside the VPC

B.

Create an interface VPC endpoint (or each S3 bucket Attach the interface VPC
endpoints to each subnet inside the VPC

C.

Create one gateway VPC endpoint for all the S3 buckets Add the gateway VPC
endpoint to the VPC route table

D.

Create one interface VPC endpoint for all the S3 buckets Add the interface VPC endpoint to the VPC route table

A company has multiple AWS Site-to-Site VPN connections between a VPC and its branch
offices. The company manages an Amazon Elasticsearch Service (Amazon ES) domain
that is configured with public access. The Amazon ES domain has an open domain access
policy. A SysOps administrator needs to ensure that Amazon ES can be accessed only
from the branch offices while preserving existing data.
Which solution will meet these requirements?

A.

Configure an identity-based access policy on Amazon ES. Add an allow statement to the
policy that includes the Amazon Resource Name (ARN) for each branch office VPN
connection.

B.

Configure an IP-based domain access policy on Amazon ES. Add an allow statement to
the policy that includes the private IP CIDR blocks from each branch office network.

C.

Deploy a new Amazon ES domain in private subnets in a VPC, and import a snapshot
from the old domain. Create a security group that allows inbound traffic from the branch
office CIDR blocks.

D.

Reconfigure the Amazon ES domain in private subnets in a VPC. Create a security group

A large multinational company has a core application that runs 24 hours a day, 7 days a
week on Amazon EC2 and AWS Lambda. The company uses a combination of operating
systems across different AWS Regions. The company wants to achieve cost savings and
wants to use a pricing model that provides the most flexibility.
What should the company do to MAXIMIZE cost savings while meeting these
requirements?

A.

Establish the compute expense by the hour. Purchase a Compute Savings Plan.

B.

Establish the compute expense by the hour. Purchase an EC2 Instance Savings Plan.

C.

Purchase a Reserved Instance for the instance types, operating systems, Region, and
tenancy.

D.

Use EC2 Spot Instances to match the instances that run in each Region.

A company hosts its website on Amazon EC2 instances behind an Application Load Balancer. The company manages its DNS with Amazon Route 53. and wants to point its domain's zone apex to the website.
Which type of record should be used to meet these requirements?

A.

A CNAME record for the domain's zone apex

B.

An A record for the domain's zone apex

C.

An AAAA record for the domain's zone apex

D.

An alias record for the domain's zone apex

An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime. To satisfy the requirements, which one of these services can the SysOps administrator enable at-rest encryption on?

A.

EBS General Purpose SSD volumes

B.

RDS PostgreSQL database

C.

Amazon EFS file systems

D.

S3 objects within a bucket

The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies. Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?

A.

AWS Trusted Advisor

B.

Amazon Inspector

C.

AWS Config

D.

AWS Organizations

A company hosts an internal application on Amazon EC2 instances. All application data and requests route through an AWS Site-to-Site VPN connection between the on-premises network and AWS. The company must monitor the application for changes that allow network access outside of the corporate network. Any change that exposes the application externally must be restricted automatically.
Which solution meets these requirements in the MOST operationally efficient manner?

A. Create an AWS Lambda function that updates security groups that are associated with the elastic network interface to remove inbound rules with noncorporate CIDR ranges. Turn on VPC Flow Logs, and send the logs to Amazon CloudWatch Logs. Create an Amazon CloudWatch alarm that matches traffic from noncorporate CIDR ranges, and publish a message to an Amazon Simple Notification Service (Amazon SNS) topic with the Lambda function as a target.

B. Create a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule that targets an AWS Systems Manager Automation document to check for public IP addresses on the EC2 instances. If public IP addresses are found on the EC2 instances, initiate another Systems Manager Automation document to terminate the instances.

C. Configure AWS Config and a custom rule to monitor whether a security group allows inbound requests from noncorporate CIDR ranges. Create an AWS Systems Manager Automation document to remove any noncorporate CIDR ranges from the application security groups.

D. Configure AWS Config and the managed rule for monitoring public IP associations with the EC2 instances by tag. Tag the EC2 instances with an identifier. Create an AWS Systems Manager Automation document to remove the public IP association from the EC2 instances.

A company has deployed AWS Security Hub and AWS Config in a newly implemented organization in AWS Organizations. A SysOps administrator must implement a solution to restrict all member accounts in the organization from deploying Amazon EC2 resources in the ap-southeast-2 Region. The solution must be implemented from a single point and must govern an current and future accounts. The use of root credentials also must be restricted in member accounts.
Which AWS feature should the SysOps administrator use to meet these requirements?

A. AWS Config aggregator

B. IAM user permissions boundaries

C. AWS Organizations service control policies (SCPs)

D. AWS Security Hub conformance packs