AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
Option A and C are incorrect since Cloudtrail needs to be used as part of the solution
Option B is incorrect since the auditor needs to have access to Cloudtrail
For more information on cloudtrail , please visit the below URL:
https://aws.amazon.com/cloudtrail/
The correct answer is: Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.

This is mentioned in the AWS Documentation
Options A and B are incorrect because using Security Groups nor route tables will help to allow access specifically for that bucket via the VPC endpoint. Here you specifically need to ensure the bucket policy is changed.
Option C is incorrect because it is the bucket policy that needs to be changed and not the IAM policy. 
For more information on example bucket policies for VPC endpoints, please refer to below URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html
The correct answer is: Modify the bucket Policy for the bucket to allow access for the VPC endpoint

The AWS Documentation mentions the following
You can use a combination of AWS CloudTrail, Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) to create an alarm that notifies you of AWS KMS API requests that attempt to use a customer master key (CMK) that is pending deletion. If you receive a notification from such an alarm, you might want to cancel deletion of the CMK to give yourself more time to determine whether you want to delete it.
Options B and D are incorrect because Key policies nor IAM policies can be used to check if the keys are being used.
Option C is incorrect since rotation will not help you check if the keys are being used.
For more information on deleting keys, please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html
The correct answer is: Use CloudTrail to see if any KMS API request has been issued against existing keys

Option A is invalid because removing the role will not help completely in such a situation
Option D is invalid because terminating the instance means that you cannot conduct forensic analysis on the instance
One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.
For more information on security scenarios for your EC2 Instance, please refer to below URL:
https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_11_TSB_Final.pdf
The correct answers are: Create a separate forensic instance, Ensure that the security groups only allow communication to this forensic instance

The AWS Documentation mentions the following
Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales.
Option A,C and D are all incorrect since these options will not impact how the key is used.
For more information on data key caching, please refer to below URL:
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
The correct answer is: Use Data key caching

The AWS Documentation mentions the following about these services
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Option B is invalid because this is only used for VPC’s
Option C is invalid because this is a configuration service and cannot be used for logging purposes
For more information on Cloudtrail, please refer to below URL:
https://aws.amazon.com/cloudtrail/
The correct answers are: Amazon Cloudwatch Logs, Amazon Cloudtrail

You can use a pre-approved solution from the AWS Marketplace. But till date the AWS Documentation still mentions that you have to get prior approval before conducting a test on the AWS Cloud for EC2 Instances.
Option C and D are invalid because you have to get prior approval first
For more information on penetration testing please visit the following URL:
https://aws.amazon.com/security/penetration-testing/
The correct answers are: Get prior approval from AWS for conducting the test, Use a pre-approved penetration testing tool.

Option B is incorrect because querying Trusted Advisor API’s are not possible
Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.
Option D is incorrect because Amazon Inspector can be used to check for vulnerabilities only
One of the Inbuilt AWS Config Rules is built specifically for this purpose
For more information on AWS Config managed rules , please refer to below URL:
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
The correct answer is: Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.

You can use a Lambda function to create a new key and then update the S3 bucket to use the new key. Remember not to delete the old key , else you will not be able to decrypt the documents stored in the S3 bucket using the older key.
Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis
Option C is incorrect because deleting the old key means that you cannot access the older objects
Option D is incorrect because rotating key material is not possible.
For more information on AWS KMS keys , please refer to below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
The correct answer is: Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.

The AWS Documentation mentions the following
You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:
To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
Option A , C and D are invalid because these cannot be used to control access to AWS services. This needs to be done via policies
For more information on permissions with the API gateway, please visit the following URL:
https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
The correct answer is: Use IAM Policies to create different policies for the different types of users.