A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads.
A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub.
The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices forinitial response to security incidentsand mustminimize disruptionto the web application.
Which solution will meet these requirements?
A company manages multiple AWS accounts through an organization in AWS Organizations. The company enables all features in the organization.
A security team must implement a solution to centrally manage VPC security groups across the accounts. The company uses an existing reference security group with the required configuration. The solution must detect if security group rules have been modified to deviate from the reference security group. The solution must automatically restore any noncompliant security groups to match the reference security group.
The security team needs to select a solution that does not require custom development or scripting.
Which solution will meet these requirements?
A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:
{
" Version " : " 2012-10-17 " ,
" Id " : " key-policy-ebs " ,
" Statement " : [
{
" Sid " : " Enable IAM User Permissions " ,
" Effect " : " Allow " ,
" Principal " : {
" AWS " : " arn:aws:iam::123456789012:root "
},
" Action " : " kms:* " ,
" Resource " : " * "
},
{
" Sid " : " Allow use of the key " ,
" Effect " : " Allow " ,
" Principal " : {
" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "
},
" Action " : [
" kms:Encrypt " ,
" kms:Decrypt " ,
" kms:ReEncrypt* " ,
" kms:GenerateDataKey* " ,
" kms:DescribeKey " ,
" kms:CreateGrant " ,
" kms:ListGrants " ,
" kms:RevokeGrant "
],
" Resource " : " * " ,
" Condition " : {
" StringEquals " : {
" kms:ViaService " : " ec2.us-west-2.amazonaws.com "
}
}
}
]
}
The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.
Which change to the policy should the security engineer make to resolve these issues?
A company uploads data files as objects into an Amazon S3 bucket. A vendor downloads the objects to perform data processing.
A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.