A company is building a secure solution that relies on an AWS Key Management Service (AWS KMS) customer managed key. The company wants to allow AWS Lambda to use the KMS key. However, the company wants to prevent Amazon EC2 from using the key.
Which solution will meet these requirements?

1. A. Use IAM explicit deny for EC2 instance profiles and allow for Lambda roles.
2. B. Use a KMS key policy with kms:ViaService conditions to allow Lambda usage and deny EC2 usage.
3. C. Use aws:SourceIp and aws:AuthorizedService condition keys in the KMS key policy.
4. D. Use an SCP to deny EC2 and allow Lambda.

Correct Answer: B

A company uses AWS Organizations to manage an organization that consists of three workload OUs: Production, Development, and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs. Different SCPs are attached to each workload OU.
The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU, the update fails.
The error message reports insufficient IAM permissions.
What is the FIRST step that a security engineer should take to troubleshoot this issue?

1. A. Review the AWS CloudTrail logs in the account in the Production O
2. B. Search for any failed API calls from CloudFormation during the deployment attempt.
3. C. Remove all the SCPs that are attached to the Production O
4. D. Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls.
5. E. Confirm that the role used by CloudFormation has sufficient permissions to create, update, and delete the resources that are referenced in the CloudFormation template.
6. F. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU.

Correct Answer: A

A company has a VPC that has no internet access and has the private DNS hostnames option enabled. An Amazon Aurora database is running inside the VPC. A security engineer wants to use AWS Secrets Manager to automatically rotate the credentials for the Aurora database. The security engineer configures the Secrets Manager default AWS Lambda rotation function to run inside the same VPC that the Aurora database uses. However, the security engineer determines that the password cannot be rotated properly because the Lambda function cannot communicate with the Secrets Manager endpoint.
What is the MOST secure way that the security engineer can give the Lambda function the ability to communicate with the Secrets Manager endpoint?

1. A. Add a NAT gateway to the VPC to allow access to the Secrets Manager endpoint.
2. B. Add a gateway VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
3. C. Add an interface VPC endpoint to the VPC to allow access to the Secrets Manager endpoint.
4. D. Add an internet gateway for the VPC to allow access to the Secrets Manager endpoint.

Correct Answer: C

A company is running an application in the eu-west-1 Region. The application uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region. A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.
Which change should the security engineer make to the AWS KMS configuration to meet these requirements?

1. A. Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same customer managed key as the application in eu-west-1.
2. B. Allocate a new customer managed key to eu-north-1 to be used by the application that is deployed in that Region.
3. C. Allocate a new customer managed key to eu-north-1. Create the same alias name for both key
4. D. Configure the application deployment to use the key alias.
5. E. Allocate a new customer managed key to eu-north-1. Create an alias for eu--1. Change the application code to point to the alias for eu--1.

Correct Answer: C

A company has a PHP-based web application that uses Amazon S3 as an object store for user files. The S3 bucket is configured for server-side encryption with Amazon S3 managed keys (SSE-S3). New requirements mandate full control of encryption keys.
Which combination of steps must a security engineer take to meet these requirements? (Select THREE.)

1. A. Create a new customer managed key in AWS Key Management Service (AWS KMS).
2. B. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided keys (SSE-C).
3. C. Configure the PHP SDK to use the SSE-S3 key before upload.
4. D. Create an AWS managed key for Amazon S3 in AWS KMS.
5. E. Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed keys (SSE-KMS).
6. F. Change all the S3 objects in the bucket to use the new encryption key.

Correct Answer: AEF