A security engineer receives a notice about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.
The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1b. Each subnet is associated with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.
Which response will immediately mitigate the attack and help investigate the root cause?

1. A. Log in to the suspicious instance and use the netstat command to identify remote connection
2. B. Use the IP addresses from these remote connections to create deny rules in the security group of the instanc
3. C. Install diagnostic tools on the instance for investigatio
4. D. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.
5. E. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rul
6. F. Replace the security group with a new security group that allows connections only from a diagnostics security grou
7. G. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rul
8. H. Launch a new EC2 instance that has diagnostic tool
9. I. Assign the new security group to the new EC2 instanc
10. J. Use the new EC2 instance to investigate the suspicious instance.
11. K. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon terminatio
12. L. Terminate the instanc
13. M. Launch a new EC2 instance in us-east-1a that has diagnostic tool
14. N. Mount the EBS volumes from the terminated instance for investigation.
15. O. Create an AWS WAF web ACL that denies traffic to and from the suspicious instanc
16. P. Attach the AWS WAF web ACL to the instance to mitigate the attac
17. Q. Log in to the instance and install diagnostic tools to investigate the instance.

Correct Answer: C

A company uses AWS IAM Identity Center to manage access to its AWS accounts. The accounts are in an organization in AWS Organizations. A security engineer needs to set up delegated administration of IAM Identity Center in the organization??s management account.
Which combination of steps should the security engineer perform in IAM Identity Center before configuring delegated administration? (Select THREE.)

1. A. Grant least privilege access to the organization's management account.
2. B. Create a new IAM Identity Center directory in the organization's management account.
3. C. Set up a second AWS Region in the organization??s management account.
4. D. Create permission sets for use only in the organization's management account.
5. E. Create IAM users for use only in the organization's management account.
6. F. Create user assignments only in the organization's management account.

Correct Answer: BDF

A company is using AWS Organizations with nested OUs to manage AWS accounts. The company has a custom compliance monitoring service for the accounts. The monitoring service runs as an AWS Lambda function and is invoked by Amazon EventBridge Scheduler.
The company needs to deploy the monitoring service in all existing and future accounts in the organization. The company must avoid using the organization's management account when the management account is not required.
Which solution will meet these requirements?

1. A. Create a CloudFormation stack set in the organization's management account andmanually add new accounts.
2. B. Configure a delegated administrator account for AWS CloudFormatio
3. C. Create a CloudFormation StackSet in the delegated administrator account targeting the organization root with automatic deployment enabled.
4. D. Use Systems Manager delegated administration and Automation to deploy the Lambda function and schedule.
5. E. Create a Systems Manager Automation runbook in the management account and share it to accounts.

Correct Answer: B

A company uses an organization in AWS Organizations to manage multiple AWS accounts. The company wants to centrally give users the ability to access Amazon Q Developer.
Which solution will meet this requirement?

1. A. Enable AWS IAM Identity Center and set up Amazon Q Developer as an AWS managed application.
2. B. Enable Amazon Cognito and create a new identity pool for Amazon Q Developer.
3. C. Enable Amazon Cognito and set up Amazon Q Developer as an AWS managed application.
4. D. Enable AWS IAM Identity Center and create a new identity pool for Amazon Q Developer.

Correct Answer: A