A security engineer needs to implement AWS IAM Identity Center with an external identity provider (IdP).
Select and order the correct steps from the following list to meet this requirement. Select each step one time or not at all. (Select and order THREE.)
. Configure the external IdP as the identity source in IAM Identity Center.
. Create an IAM role that has a trust policy that specifies the IdP ' s API endpoint.
. Enable automatic provisioning in IAM Identity Center settings.
. Enable automatic provisioning in the external IdP.
. Obtain the SAML metadata from IAM Identity Center.
. Obtain the SAML metadata from the external IdP.

A systems administrator was attempting to launch a new Amazon EC2 instance with an encrypted boot volume using a new AWS KMS customer managed key. The EC2 console initially stated the launch was successful, but the instance was subsequently terminated. The IAM role used by the systems administrator has the following IAM permissions:
• ec2:Describe*
• ec2:AuthorizeSecurityGroupIngress
• kms:Encrypt
• kms:Decrypt
• kms:ReEncrypt*
• kms:GenerateDataKey*
• kms:DescribeKey
Which IAM permission is the systems administrator missing?
A company has a platform that is divided into 12 AWS accounts under the same organization in AWS Organizations. Many of these accounts use Amazon API Gateway to expose APIs to the company ' s frontend applications. The company needs to protect the existing APIs and any resources that will be deployed in the future against common SQL injection and bot attacks.
Which solution will meet these requirements with the LEAST operational overhead?
A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company ' s security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:
{
" Version " : " 2012-10-17 " ,
" Id " : " key-policy-ebs " ,
" Statement " : [
{
" Sid " : " Enable IAM User Permissions " ,
" Effect " : " Allow " ,
" Principal " : {
" AWS " : " arn:aws:iam::123456789012:root "
},
" Action " : " kms:* " ,
" Resource " : " * "
},
{
" Sid " : " Allow use of the key " ,
" Effect " : " Allow " ,
" Principal " : {
" AWS " : " arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/InfrastructureDeployment "
},
" Action " : [
" kms:Encrypt " ,
" kms:Decrypt " ,
" kms:ReEncrypt* " ,
" kms:GenerateDataKey* " ,
" kms:DescribeKey " ,
" kms:CreateGrant " ,
" kms:ListGrants " ,
" kms:RevokeGrant "
],
" Resource " : " * " ,
" Condition " : {
" StringEquals " : {
" kms:ViaService " : " ec2.us-west-2.amazonaws.com "
}
}
}
]
}
The security engineer recently discovered that IAM rolesother thanthe InfrastructureDeployment role used this key for other services.
Which change to the policy should the security engineer make to resolve these issues?
A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive data. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting.
Which solution will provide remote access while meeting these requirements?
A security engineer needs to prepare for a security audit of an AWS account.
Select the correct AWS resource from the following list to meet each requirement. Select each resource one time or not at all. (Select THREE.)
• AWS Artifact reports
• AWS Audit Manager controls
• AWS Config conformance packs
• AWS Config rules
• Amazon Detective investigations
• AWS Identity and Access Management Access Analyzer internal access analyzers

A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
A recent security audit identified that a company’s application team injects database credentials into the environment variables of an AWS Fargate task. The company’s security policy mandates that all sensitive data be encrypted at rest and in transit.
Which combination of actions should the security team take to make the application compliant with the security policy? (Select THREE.)
A security engineer needs to prepare Amazon EC2 instances for quarantine during a security incident. AWS Systems Manager Agent (SSM Agent) is installed, and a script exists to install and update forensic tools.
Which solution will quarantine EC2 instances during a security incident?
An AWS Lambda function was misused to alter data, and a security engineer must identify who invoked the function and what output was produced. The engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?