Correct option:

The AMIs may have been encrypted using customer-managed customer master keys (CMKs). Additional permissions need to be provided to the Auto Scaling Group to fix the issue

Amazon EC2 Auto Scaling uses service-linked roles (SLR) for the required permissions to call other AWS services. The permissions for SLR are hardcoded by AWS and can't be changed. By default, permissions provided to Amazon EC2 Auto Scaling SLR don't include permissions to access customer master keys (CMKs).

There are two types of Amazon EC2 Auto Scaling service-linked roles:

1.The default service-linked role for your account, named AWSServiceRoleForAutoScaling. This role is automatically assigned to your Auto Scaling groups unless you specify a different service-linked role.

2.A service-linked role with a custom suffix that you specify when you create the role, for example, AWSServiceRoleForAutoScaling_mysuffix.

The permissions of a custom suffix service-linked role are identical to those of the default service-linked role. In both cases, you cannot edit the roles, and you also cannot delete them if they are still in use by an Auto Scaling group. The only difference is the role name suffix.

You can specify either role when you edit your AWS Key Management Service key policies to allow instances that are launched by Amazon EC2 Auto Scaling to be encrypted with your customer-managed CMK. However, if you plan to give granular access to a specific customer-managed CMK, you should use a custom suffix service-linked role. Using a custom suffix service-linked role provides you with:

1.More control over the CMK

2.The ability to track which Auto Scaling group made an API call in your CloudTrail logs

Incorrect options:

The AMIs may have been encrypted using AWS managed customer master keys (CMKs). Additional permissions to be provided to the Auto Scaling Group to fix the issue - You can use AWS managed CMKs or customer managed CMKs to encrypt Amazon Elastic Block Store (Amazon EBS) volumes or AMIs with Amazon EC2 Auto Scaling. Amazon EC2 Auto Scaling doesn't need additional permissions to use AWS managed CMKs.

The Auto Scaling Group needs a service-linked role to access KMS. Create a service-linked role on the ASG to fix the issue - Amazon EC2 Auto Scaling uses service-linked roles for the permissions that it requires to call other Amazon Web Services on your behalf. A service-linked role is a unique type of IAM role that is linked directly to an AWS service. The service-linked roles provide a secure way to delegate permissions to Amazon Web Services because only the linked service can assume a service-linked role. A service-linked role is mandatory for creating an ASG.

The service-linked role of the ASG might have been deleted. Check if the role still exists - You can delete a service-linked role only after first deleting the related dependent resources. This protects you from inadvertently revoking Amazon EC2 Auto Scaling permissions to your resources. If a service-linked role is used with multiple Auto Scaling groups, you must delete all Auto Scaling groups that use the service-linked role before you can delete it. So, it is not possible to delete the service-linked role when its connected ASG still exists.

References:

https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role

Correct option:

You can retrieve 10 GB of your Amazon S3 Glacier data per month for free

Amazon S3 Glacier and S3 Glacier Deep Archive are designed to be the lowest-cost Amazon S3 storage classes, allowing you to archive large amounts of data at a very low cost. This makes it feasible to retain all the data you want for use cases like data lakes, analytics, IoT, machine learning, compliance, and media asset archiving. You pay only for what you need, with no minimum commitments or up-front fees.

Amazon S3 Glacier offers a 10 GB retrieval free tier. You can retrieve 10 GB of your Amazon S3 Glacier data per month for free. The free tier allowance can be used at any time during the month and applies to Standard retrievals.

Incorrect options:

You can retrieve 5 GB of your Amazon S3 Glacier data per month for free - As discussed above, you can retrieve 10 GB of your Amazon S3 Glacier data per month for free.

Amazon S3 Glacier offers free retrieval for three months from starting of the service - As discussed above, you can retrieve 10 GB of your Amazon S3 Glacier data per month for free.

The AWS account holding S3 Glacier resources is a member of more than one AWS organization - This statement is incorrect. An AWS account can be a member of only one organization at a time.

Reference:

https://aws.amazon.com/s3/glacier/faqs/#dataretrievals

Correct option:

AWS Systems Manager - AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. You can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments. With Systems Manager, you can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status.

With AWS Systems Manager, you can manage servers running on AWS, in your on-premises data center, and devices such as Raspberry Pi through a single interface. Systems Manager securely communicates with a lightweight agent installed on your servers and devices to execute management tasks. This helps you manage resources for Windows, Linux, and Raspbian operating systems.

Incorrect options:

Amazon Inspector - Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

AWS Control Tower - AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on the best-practices blueprints and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.

AWS Service Catalog - AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage deployed IT services and your applications, resources, and metadata. This helps you achieve consistent governance and meet your compliance requirements while enabling users to quickly deploy only the approved IT services they need.

References:

https://aws.amazon.com/systems-manager/features/

https://aws.amazon.com/blogs/mt/manage-raspberry-pi-devices-using-aws-systems-manager/

Correct option:

Setup the private connection within an Amazon Virtual Private Cloud (Amazon VPC) by using VPC endpoints

You can set up a private network connection between a file gateway and Amazon S3 within an Amazon Virtual Private Cloud (Amazon VPC). To set up this private connection within a VPC, you must:

1.Create a VPC endpoint for Amazon S3

2.Create a file gateway using a VPC endpoint

Complete steps for configuring the requirement: 

https://aws.amazon.com/premiumsupport/knowledge-center/storage-gateway-file-gateway-private-s3/

Incorrect options:

Setup AWS Direct Connect for accessing S3 privately - AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your data center, office, or colocation environment. However, Direct Connect is not cost-effective for this requirement and an overkill too.

Use VPC Peering to set up a private connection between on-premises and AWS Cloud resources - A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. VPC peering is not helpful for on-premises connectivity with Cloud. You cannot use VPC Peering for a private network connection between a File Gateway and Amazon S3.

Setup AWS Transit Gateway for accessing S3 privately from File Gateway - AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. You will still need a VPN or a Direct Connect connection between your on-premises and AWS Cloud connectivity. You cannot use AWS Transit Gateway for a private network connection between a File Gateway and Amazon S3.

Reference:

https://aws.amazon.com/fsx/windows/faqs/

Correct option:

Elastic Load Balancing Access Logs - Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

There is no additional charge for access logs. You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3.

Incorrect options:

CloudTrail Logs - Elastic Load Balancing is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Elastic Load Balancing. CloudTrail captures all API calls for Elastic Load Balancing as events. The calls captured include calls from the AWS Management Console and code calls to the Elastic Load Balancing API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Elastic Load Balancing. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. You cannot use CloudTrail Logs to analyze the network traffic passing through the ELB.

VPC Flow Logs - You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Network Load Balancer. Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet. VPC Flow Logs will not provide details on the latencies and server responses, so this option is not the right fit for the given use case.

VPC Network Logs - There is no such thing as VPC Network Logs. This option has been added as a distractor.

References:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-monitoring.html

Correct option:

AWS Shield Advanced

AWS Shield Standard is activated for all AWS customers, by default. For higher levels of protection against attacks, you can subscribe to AWS Shield Advanced. With Shield Advanced, you also have exclusive access to advanced, real-time metrics and reports for extensive visibility into attacks on your AWS resources. With the assistance of the DRT (DDoS response team), AWS Shield Advanced includes intelligent DDoS attack detection and mitigation not only for network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.

AWS Shield Advanced includes intelligent DDoS attack detection and mitigation not only for the network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks. AWS Shield Advanced is a paid service that provides additional protections for internet-facing applications. Additionally, you get DDoS cost protection for scaling, a feature that protects your AWS bill from usage spikes on your AWS Shield Advanced protected EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources as a result of a DDoS attack.

Incorrect options:

AWS WAF - AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting. WAF cannot be used to detect and get notified about any security gaps when port 846 is opened. WAF cannot protect your AWS bill from usage spikes due to DDoS attacks.

How WAF Works: 

https://aws.amazon.com/waf/

AWS Shield - AWS Shield Standard cannot protect your AWS bill from usage spikes due to DDoS attacks.

AWS DDoS OpsTeam - This is a made-up option and has been added as a distractor.

References:

https://aws.amazon.com/shield/

https://aws.amazon.com/waf/

Correct option:

Configure AWS Web Application Firewall (WAF) on CloudFront to keep the AWS infrastructure safe from malicious attacks. Use AWS Firewall Manager to replicate and manage the WAF configurations across AWS accounts

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.

At the simplest level, AWS WAF lets you choose one of the following behaviors:

1.Allow all requests except the ones that you specify – This is useful when you want Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync to serve content for a public website, but you also want to block requests from attackers.

2.Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.

3.Count the requests that match the properties that you specify – When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn't accidentally configure AWS WAF to block all the traffic to your website. When you're confident that you specified the correct properties, you can change the behavior to allow or block requests.

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. As new applications are created, the Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. Now you have a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure, from a central administrator account.

Incorrect options:

Configure Security Groups on CloudFront to deny access to IP addresses that seem to send the malicious traffic. The Security Group settings can be exported out to another AWS account for easy replication - A Security Group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. CloudFront does not support security groups.

Configure AWS Web Application Firewall (WAF) on Amazon EC2 instances to keep the instances as well as the databases safe. WAF configured on CloudFront increases latency for users accessing the application. WAF configuration can be replicated using CloudFormation templates - AWS WAF can only be configured with Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API. Amazon EC2 instances cannot be directly configured with WAF, they need to be behind a CloudFront distribution or an Application Load Balancer.

Configure AWS Firewall Manager to create a secure barrier on CloudFront. Settings can be replicated across accounts by manually exporting the Firewall Manager configuration - It's AWS WAF (NOT Firewall Manager) that can create a secure barrier on CloudFront. AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.

AWS Firewall Manager is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, and AWS Network Firewall rules for your Amazon VPC across multiple AWS accounts and resources from a single place. The Firewall Manager is a management service to manage security resources under one umbrella. There is no need to manually export configurations.

References:

https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

https://aws.amazon.com/firewall-manager/

Correct option:

Use CloudTrail log file integrity to keep the logs tamper-proof - A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify.

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. After delivery, you can use the public key to validate the digest file. CloudTrail uses different key pairs for each AWS region.

The digest files are delivered to the same Amazon S3 bucket associated with your trail as your CloudTrail log files. If your log files are delivered from all regions or multiple accounts into a single Amazon S3 bucket, CloudTrail will deliver the digest files from those regions and accounts into the same bucket.

The digest files are put into a folder separate from the log files. This separation of digest files and log files enables you to enforce granular security policies and permits existing log processing solutions to continue to operate without modification. Each digest file also contains the digital signature of the previous digest file if one exists. The signature for the current digest file is in the metadata properties of the digest file Amazon S3 object.

Incorrect options:

Use KMS logfile security keys to keep the CloudTrail logs secure and tamper-proof - This is a made-up option and given only as a distractor.

Use Amazon S3 Versioning to keep all versions of the file created - Amazon S3 Versioning helps retain all the versions of a file created. CloudTrail log file integrity is a custom-made solution for the given requirement.

Use Amazon S3 MFA Delete to know the delete operations performed by any user on the logs stored in S3 buckets - If a bucket's versioning configuration is MFA Delete–enabled, the bucket owner must include the x-amz-mfa request header in requests to permanently delete an object version or change the versioning state of the bucket. This option does not address the use case.

References:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html

Correct option:

The error status indicates that the underlying hardware related to the EBS volume has failed. The given EBS volume cannot be recovered but the data can be restored from the backup to a new EBS volume

The error status indicates that the underlying hardware related to your EBS volume has failed. The data associated with the volume is unrecoverable and Amazon EBS processes the volume as lost. A notification appears on your account's Personal Health Dashboard when a volume enters an error state.

You can't recover a volume in an error state, you can restore the lost data from your backup. It’s a best practice to keep backups of your EC2 resources, including EBS volumes. You can use Amazon Data Lifecycle Manager, AWS Backup, or regular EBS snapshots for maintaining regular backups of your critical volumes to avoid data loss.

Restore the lost data from your backup using one of the following:

1.If you have an EBS snapshot of the volume, you can restore that volume from your snapshot.

2.If you don't have an EBS snapshot of the volume, create a new EBS volume, and then restore the data to it using the manual backup solution you prefer.

Incorrect options:

You can restore the EBS volume from Amazon Data Lifecycle Manager, by shifting the volume to another EC2 instance configured with the Data Lifecycle Manager - You can use Amazon Data Lifecycle Manager to automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs. You cannot, however, restore the actual volume that is in an error state.

Restart the instance the EBS volume is connected to. In case the data doesn't show up, you can restore the data from the scheduled backups - As discussed above, it is a problem with the underlying hardware which will not be fixed by restarting the instance.

The error status indicates that the communication channel between EBS volume and the instance has been disrupted. Restart the instance to fix the error - This is an incorrect statement, given only as a distractor.

Reference:

https://aws.amazon.com/premiumsupport/knowledge-center/ebs-error-status/

Correct options:

For stack sets created with service-managed permissions, you don't have to create the necessary IAM roles - Stack sets can be created using either self-managed permissions or service-managed permissions. With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations. Using this permissions model, you don't have to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. With this model, you can also enable automatic deployments to accounts that are added to your organization in the future.

You must set up a trust relationship between the administrator and target accounts before creating stacks in target accounts - An administrator account is the AWS account in which you create stack sets. For stack sets with service-managed permissions, the administrator account is either the organization's management account or a delegated administrator account. A target account is an account into which you create, update, or delete one or more stacks in your stack set. Before you can use a stack set to create stacks in a target account, you must set up a trust relationship between the administrator and target accounts.

Incorrect options:

Stack sets can be created using either self-managed, service-managed, or resource-managed permissions - This statement is incorrect. Stack sets can be created using either self-managed permissions or service-managed permissions.

When you delete stacks from your stack set but save them to run independently, such stacks need to be maintained at individual resource level and are unavailable in CloudFormation - When you delete stacks, you are removing a stack and all its associated resources from the target accounts you specify, within the Regions you specify. Delete stacks from your stack set, but save them so they continue to run independently of your stack set by choosing the Retain Stacks option. Retained stacks are managed in AWS CloudFormation outside of your stack set.

For stack sets created using self-managed permissions, you don't have to create the necessary IAM roles - With self-managed permissions, you create the IAM roles required by StackSets to deploy across accounts and Regions. These roles are necessary to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stack instances to.

Reference:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html