Lifecycle management of IAM credentials

Decommissioning storage devices

Security group and access control list (ACL) settings

Encryption of Amazon Elastic Block Store (Amazon EBS) volumes

Controlling physical access to compute resources

Create a snapshot of the database in the us-west-1 Region. Copy the snapshot to the us-east-1 Region and specify a KMS key in the us-east-1 Region. Restore the database from the copied snapshot.

Create an unencrypted snapshot of the database in the us-west-1 Region. Copy the snapshot to the useast-1 Region. Restore the database from the copied snapshot and enable encryption using the KMS key from the us-east-1 Region

Disable encryption on the database. Create a snapshot of the database in the us-west-1 Region. Copy the snapshot to the us-east-1 Region. Restore the database from the copied snapshot.

In the us-east-1 Region, choose to restore the latest automated backup of the database from the us-west1 Region. Enable encryption using a KMS key in the us-east-1 Region.

Create an IAM user with access credentials that are distributed with the mobile app to sign the requests.

Distribute the AWS root account access credentials with the mobile app to sign the requests.

Request temporary security credentials using web identity federation to sign the requests.

Establish cross account access between the mobile app and the DynamoDB table to sign the requests.

“Principal”: {

“AWS”: [“arn:aws:s3:123412341234:user/Boo”]

}

B.“Principal”: {

“AWS”: [“arn:aws:iam::123412341234:/user/Boo”]

}

You cannot do it with a bucket policy. You must create user-based permissions in IAM

Store photos on an EBS volume of the web server.

Remove public read access and use pre-signed URLs with expiry dates.

Use CloudFront distributions for static content.

Block the IPs of the offending websites in Security Groups.