[Infrastructure Security]
A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.
Which combination of steps must the company perform to meet this requirement? (Select TWO.)
To allow cross-account access to resources using IAM roles, the following steps are required:
Create a role in the AWS account that contains the resources (the trusting account) and specify the AWS account that contains the IAM user (the trusted account) as a trusted entity in the role's trust policy. This allows users from the trusted account to assume the role and access resources in the trusting account.
Ensure that the IAM user has permission to assume the role in their own AWS account. This can be done by creating an identity policy that allows the sts:AssumeRole action and attaching it to the IAM user or their group.
Ensure that there are no service control policies (SCPs) in the organization that owns the resources that deny or restrict access to the sts:AssumeRole action or the role itself. SCPs are applied to all accounts in an organization and can override any permissions granted by IAM policies.
Verified References:
https://repost.aws/knowledge-center/cross-account-access-iam
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
[Infrastructure Security]
A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.
Which encryption method will meet these requirements?
[Identity and Access Management]
A security administrator is restricting the capabilities of company root user accounts. The company uses AWS Organizations and has all features enabled. The management account is used for billing and administrative purposes, but it is not used for operational AWS resource purposes.
How can the security administrator restrict usage of member root user accounts across the organization?
Restrict Root User Capabilities Using Service Control Policies (SCPs):
SCPs in AWS Organizations provide the ability to control permissions for AWS accounts in the organization.
Create a new organizational unit (OU) and move all member accounts into this OU.
Create SCP for Root User Restrictions:
Define an SCP that denies critical actions likeiam:CreateUser,iam:DeleteUser, or other high-risk actions for the root user. Example SCP:
{
'Version': '2012-10-17',
'Statement':
[
{
'Effect': 'Deny',
'Action': '*',
'Resource': '*',
'Condition': {
'StringEquals': {
'aws:PrincipalAccountRoot': 'true'
}
}
}
]
}
Enforce Multi-Factor Authentication (MFA):
Enable MFA on root accounts for additional security.
Monitor Root User Activity:
Use AWS CloudTrail to monitor and log root user actions. Configure alerts with CloudWatch for any unauthorized root usage.
AWS Organizations SCP Documentation
Best Practices for Root User Account
[Identity and Access Management]
A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.
Which CMK-related problems possibly account for the error? (Select two.)
https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fail
[Infrastructure Security]
A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.
A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.
A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present.
Which solution will meet these requirements?
Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstance-applications-required) enables detection of EC2 instances lacking the required software across all accounts in an organization. By creating an Amazon EventBridge rule that triggers on AWS Config events, and configuring it to invoke an AWS Lambda function, automated actions can be taken to ensure compliance. The Lambda function can leverage AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation, aligning with best practices for cloud security and management.
Jason Roberts
19 days agoStephanie Nguyen
30 days agoBarbara Carter
2 months agoRyan Phillips
2 months agoSusan King
3 months agoJoseph Parker
2 months agoEmily Lopez
2 months agoEmily Hernandez
2 months agoSharon Hernandez
2 months agoJohn Cook
2 months agoTwana
3 months agoEarlean
3 months agoTyisha
4 months agoLajuana
4 months agoTammi
4 months agoJustine
4 months agoNiesha
5 months agoJonelle
5 months agoLatosha
5 months agoAlita
5 months agoTitus
6 months agoHelaine
6 months agoRoyal
6 months agoAnnelle
6 months agoAudrie
7 months agoMiesha
7 months agoRossana
7 months agoSharika
7 months agoVivienne
8 months agoRasheeda
8 months agoDannette
8 months agoDorinda
8 months agoShakira
9 months agoLashunda
9 months agoNoe
9 months agoWava
9 months agoIsadora
10 months agoNydia
10 months agoAnnabelle
10 months agoSusana
1 year agoNaomi
1 year agoLauran
1 year agoDelmy
1 year agoIzetta
1 year agoKanisha
1 year agoMiesha
1 year agoCandra
1 year agoDan
1 year agoElliott
1 year agoAdelina
1 year agoAnnabelle
1 year agoStephane
1 year agoBerry
1 year agoLura
2 years agoEden
2 years agoFelicia
2 years agoRolande
2 years agoLeonie
2 years agoLarae
2 years agoRolland
2 years agoLorrine
2 years agoFausto
2 years agoCurtis
2 years agoBrock
2 years agoLazaro
2 years agoCasie
2 years agoGerald
2 years agoMarcos
2 years agoTawny
2 years agoClemencia
2 years agoArthur
2 years agoRashad
2 years agoRodrigo
2 years agoElvera
2 years agoDorinda
2 years agoJames
2 years agoGary
2 years agoShaniqua
2 years agoRory
2 years agoStephaine
2 years agoAmmie
2 years agoChristiane
2 years agoNu
2 years agoLamonica
2 years ago