A company has enabled Amazon GuardDuty in all Regions as part of its security monitoring strategy. In one of the VPCs, the company hosts an Amazon EC2 instance working as an FTP server that is contacted by a high number of clients from multiple locations. This is identified by GuardDuty as a brute force attack due to the high number of connections that happen every hour.

The finding has been flagged as a false positive. However, GuardDuty keeps raising the issue. A Security Engineer has been asked to improve the signal-to-noise ratio. The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior.

How can the Security Engineer address the issue?

A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed

B. Add the FTP server to a trusted IP list and deploy it to GuardDuty to stop receiving the notifications

C. Use GuardDuty filters with auto archiving enabled to close the findings

D. Create an AWS Lambda function that closes the finding whenever a new occurrence is reported

An application has been built with Amazon EC2 instances that retrieve messages from Amazon SQS. Recently, IAM changes were made and the instances can no longer retrieve messages.

What actions should be taken to troubleshoot the issue while maintaining least privilege. (Select two.)

A. Configure and assign an MFA device to the role used by the instances.

B. Verify that the SQS resource policy does not explicitly deny access to the role used by the instances.

C. Verify that the access key attached to the role used by the instances is active.

D. Attach the AmazonSQSFullAccess managed policy to the role used by the instances.

E. Verify that the role attached to the instances contains policies that allow access to the queue.

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory. What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

A. AWS IAM groups

B. AWS IAM users

C. AWS IAM roles

D. AWS IAM access keys

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.

How should a security engineer set up AWS KMS to meet these requirements?

A. Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

B. Configure AWS KMS and use the default Key store Create an AWS managed CMK with no key material Import the company's key material into the CMK

C. Configure AWS KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's key material into the CMK.

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired AWS accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use AWS managed services.

What should the Security Engineer do to meet these requirements?

A. Configure Amazon Macie to continuously check the configuration of all S3 buckets.

B. Enable AWS Config to check the configuration of each S3 bucket.

C. Set up AWS Systems Manager to monitor S3 bucket policies for public write access.

D. Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.