Authorized Administrators are unable to connect to an Amazon EC2 Linux bastion host using SSH over the Internet. The connection either fails to respond or generates the following error message:

Network error: Connection timed out.

What could be responsible for the connection failure? (Choose three.)

A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured

B. The internet gateway of the VPC has been reconfigured

C. The security group denies outbound traffic on ephemeral ports

D. The route table is missing a route to the internet gateway

E. The NACL denies outbound traffic on ephemeral ports

F. The host-based firewall is denying SSH traffic

A company uses SAML federation with AWS Identity and Access Management (IAM) to provide internal users with SSO for their AWS accounts. The company's identity provider certificate was rotated as part of its normal lifecycle. Shortly after, users started receiving the following error when attempting to log in:

"Error: Response Signature Invalid (Service: AWSSecuntyTokenService; Status Code: 400; Error Code: InvalidldentltyToken)"

A security engineer needs to address the immediate issue and ensure that it will not occur again.

Which combination of steps should the securtty engineer take to accomplish this? (Select TWO.)

A. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity.

B. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new metadata file and upload it to the IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

C. Download a new copy of the SAML metadata file from the identity provider Upload the new metadata to the IAM identity provider entity configured for the SAML integration in question.

D. During the next certificate rotation period and before the current certificate expires, add a new certificate as the secondary to the identity provider. Generate a new copy of the metadata file and create a new IAM identity provider entity. Upload the metadata file to the new IAM identity provider entity. Perform automated or manual rotation of the certificate when required.

E. Download a new copy of the SAML metadata file from the identity provider Create a new IAM identity provider entity. Upload the new metadata file to the new IAM identity provider entity. Update the identity provider configurations to pass a new IAM identity provider entity name in the SAML assertion.

An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to "Pending", but after a few seconds, it would switch back to "Stopped".

An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances.

The IAM user policy is as follows:

What additional items need to be added to the IAM user policy? (Choose two.)

A. kms:GenerateDataKey

B. kms:Decrypt

C. kms:CreateGrant

D. "Condition": {"Bool": {"kms:ViaService": "ec2.us-west-2.amazonaws.com"}}

E. "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}

You have a 2 tier application hosted in AWS. It consists of a web server and database server (SQL Server) hosted on separate EC2 Instances. You are devising the security groups for these EC2 Instances. The Web tier needs to be accessed by users across the Internet. You have created a web security group(wg-123) and database security group(db- 345). Which combination of the following security group rules will allow the application to be secure and functional. Choose 2 answers from the options given below.

Please select:

A. wg-123 -Allow ports 80 and 443 from 0.0.0.0/0

B. db-345 - Allow port 1433 from wg-123

C. wg-123 - Allow port 1433 from wg-123

D. db-345 -Allow ports 1433 from 0.0.0.0/0

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.

How should a security engineer set up AWS KMS to meet these requirements?

A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

B. Configure AWS KMS and use the default Key store Create an AWS managed CMK with no key material Import the company's key material into the CMK

C. Configure AWS KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's key material into the CMK.

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised.

How can the CISO be assured that AWS KMS and Amazon S3 are addressing the concerns? (Choose two.)

A. There is no API operation to retrieve an S3 object in its encrypted form.

B. Encryption of S3 objects is performed within the secure boundary of the KMS service.

C. S3 uses KMS to generate a unique data key for each individual object.

D. Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

E. The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

A security engineer needs to build a solution to turn AWS CloudTrail back on in multiple AWS Regions in case it is ever turned off. What is the MOST efficient way to implement this solution?

A. Use AWS Config with a managed rule to trigger the AWS-EnableCloudTrail remediation.

B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonaws.com event source and a StartLogging event name to trigger an AWS Lambda function to call the StartLogging API.

C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonaws.com event source and a StopLogging event name to trigger an AWS Lambda function to call the StartLogging API.

D. Monitor AWS Trusted Advisor to ensure CloudTrail logging is enabled.

A security team is implementing a centralized logging solution to meet requirements for auditing. The solution must be able to aggregate logs from Amazon CloudWatch and AWS CloudTrail to an account that is controlled by the security team. This approach must be usable across the entire organization in AWS Organizations.

Which solution meets these requirements in the MOST operationally efficient manner?

A. In each AWS account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the security team's account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.

B. In the security team's account, create an Amazon Kinesis Data Firehose delivery stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis Data Firehose delivery stream in the security team's account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.

C. In each AWS account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the security team's account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the same account. For the organization, create a CloudTrail trail that has a destination of Amazon S3.

D. In the security team's account, create an Amazon Kinesis data stream that has a destination of Amazon S3 in the same account. Create a subscription for each Amazon CloudWatch Logs log group in each AWS account to the Kinesis data stream in the security team's account. For each AWS account, create a CloudTrail trail that has a destination of Amazon S3.

A company is using Amazon GuardDuty in its AWS environment. The company asks a security engineer to suspend GuardDuty. Which combination of steps must the security engineer perform to meet this requirement? (Choose two.)

A. Disable all optional data sources from all detectors in all regions.

B. Disassociate or delete all member accounts.

C. Disable all associated monitoring services.

D. Delete all existing findings.

E. Export all existing findings.

A company has two VPCs that are in the same AWS account. One VPC is located in the us-east-1 Region, and the other VPC is located in the us-west-2 region. The VPCs have an active VPC peering connection with each other, and the route tables for each VPC are configured to route network traffic properly between each VPC.

An Amazon Aurora DB instance exists in the VPC in us-east-1, and the DB instance's security group controls access to the DB instance. An Auto Scaling group is running in the VPC in us-west-2. The Auto Scaling group is continually adding and removing Amazon EC2 instances because of fluctuations in the demand for capacity. Every EC2 instance that launches as part of the Auto Scaling group belongs to a security group that is specific to the Auto Scaling group.

A security engineer needs to configure a solution that allows the EC2 instances to access the DB instance that is located in us-east-1.

Which solution will meet these requirements with the LEAST amount of effort?

A. Add the ID of the DB instance's security group to the inbound rules of the EC2 instances’ security group.

B. Add the subnets used by the Auto Scaling group of the VPC in us-west-2 to the DB instance's security group,

C. Add the private IP address of each EC2 instance from the Auto Scaling group to the DB instance's security group.

D. Add the ID of the EC2 instances’ security group to the inbound rules of the DB instance's securely group.