1. Right Answer: A
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS(Amazon Web Service) Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. All other options are invalid since AWS(Amazon Web Service) Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm/

2. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following You can now turn on a trail across all regions for your AWS(Amazon Web Service) account. CloudTrail will deliver log files from all regions to the Amazon S3 bucket and an optional CloudWatch Logs log group you specified. Additionally, when AWS(Amazon Web Service) launches a new region, CloudTrail will create the same trail in the new region. As a result, you will receive log files containing API activity for the new region without taking any action. Option A and C is invalid because this would be a maintenance overhead to enable cloudtrail for every region Option D is invalid because this AWS(Amazon Web Service) Config cannot be used to enable trails For more information on this feature, please visit the following url https://aws.amazon.com/about-aws/whats-new/2015/12/turn-on-cloudtrail-across-all-regions-and-support-for-multiple-trails/

3. Right Answer: D
Explanation: The AWS(Amazon Web Service) Documentation mentions the following AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function, Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs. Option B,C and D are all invalid because these services cannot be used to monitor for errors. For more information on Monitoring Lambda functions , please visit the following url https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html

4. Right Answer: B
Explanation: The AWS(Amazon Web Service) Documentation mentions the following By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3) Option B,C and D are all invalid because by default all logs are encrypted when they sent by Cloudtrail to S3 buckets For more information on AWS(Amazon Web Service) Cloudtrail log encryption, please visit the following url https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

5. Right Answer: C
Explanation: After the VPC peering connection is established, you need to ensure that the route tables are modified to ensure traffic can flow between the VPC's Option A ,B and C are invalid because allowing access the Internet gateway and usage of public subnets can help for Internet access , but not for VPC Peering. For more information on VPC peering routing, please visit the below URL https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html