SCS-C02 Dumps Guarantee You Pass SCS-C02 Exam Easily

Category:

Comments:

0 Comments

Post Date:

August 30, 2023

As new threats and vulnerabilities emerge, the SCS-C02 exam is updated to reflect the latest trends in AWS Certified Specialty. By using SCS-C02 exam dumps questions, you can ensure that you're staying up-to-date with the latest exam content and are fully prepared to address new challenges in AWS Certified Security - Specialty. Amazon SCS-C02 exam dumps questions can help you optimize your preparation and ensure that you're fully prepared for the exam. Practice free Amazon SCS-C02 exam dumps questions below.

Page 1 of 8

1. A company developed an application by using AWS Lambda, Amazon S3, Amazon Simple Notification Service (Amazon SNS), and Amazon DynamoDB. An external application puts objects into the company's S3 bucket and tags the objects with date and time. A Lambda function periodically pulls data from the company's S3 bucket based on date and time tags and inserts specific values into a DynamoDB table for further processing.

The data includes personally identifiable information (Pll). The company must remove data that is older than 30 days from the S3 bucket and the DynamoDB table.

Which solution will meet this requirement with the MOST operational efficiency?

Update the Lambda function to add a TTL S3 flag to S3 objects. Create an S3 Lifecycle policy to expire objects that are older than 30 days by using the TTL S3 flag.

Create an S3 Lifecycle policy to expire objects that are older than 30 days. Update the Lambda function to add the TTL attribute in the DynamoDB table. Enable TTL on the DynamoDB table to expire entires that are older than 30 days based on the TTL attribute.

Create an S3 Lifecycle policy to expire objects that are older than 30 days and to add all prefixes to the S3 bucket. Update the Lambda function to delete entries that are older than 30 days.

Create an S3 Lifecycle policy to expire objects that are older than 30 days by using object tags. Update the Lambda function to delete entries that are older than 30 days.

2. A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)

Option A

Option B

Option C

Option D

3. A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK

Which solution should the c0mpany‘s security specialist recommend‘?

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

4. An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

Send an email message to the domain administrators to request vacation of the domains for ACM

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

5. A company's Security Auditor discovers that users are able to assume roles without using multi-factor authentication (MFA).

An example of a current policy being applied to these users is as follows:

The Security Auditor finds that the users who are able to assume roles without MFA are alt coming from the IAM CLI. These users are using long-term IAM credentials.

Which changes should a Security Engineer implement to resolve this security issue? (Select TWO.)

A)

Option A

Option B

Option C

Option D

Option E

6. A company receives a notification from the AWS Abuse team about an AWS account The notification indicates that a resource in the account is compromised The company determines that the compromised resource is an Amazon EC2 instance that hosts a web application The compromised EC2 instance is part of an EC2 Auto Scaling group

The EC2 instance accesses Amazon S3 and Amazon DynamoDB resources by using an 1AM access key and secret key The 1AM access key and secret key are stored inside the AMI that is specified in the Auto Scaling

group's launch configuration The company is concerned that the credentials that are stored in the AMI might also have been exposed

The company must implement a solution that remediates the security concerns without causing downtime for the application The solution must comply with security best practices

Which solution will meet these requirements'?

Rotate the potentially compromised access key that the EC2 instance uses Create a new AM I without the potentially compromised credentials Perform an EC2 Auto Scaling instance refresh

Delete or deactivate the potentially compromised access key Create an EC2 Auto Scaling linked 1AM role that includes a custom policy that matches the potentially compromised access key permission Associate the new 1AM role with the Auto Scaling group Perform an EC2 Auto Scaling instance refresh.

Delete or deactivate the potentially compromised access key Create a new AMI without the potentially compromised credentials Create an 1AM role that includes the correct permissions Create a launch template for the Auto Scaling group to reference the new AMI and 1AM role Perform an EC2 Auto Scaling instance refresh

Rotate the potentially compromised access key Create a new AMI without the potentially compromised access key Use a user data script to supply the new access key as environmental variables in the Auto Scaling group's launch configuration Perform an EC2 Auto Scaling instance refresh

7. A company is using AWS WAF to protect a customized public API service that is based on Amazon EC2 instances. The API uses an Application Load Balancer.

The AWS WAF web ACL is configured with an AWS Managed Rules rule group. After a software upgrade to the API and the client application, some types of requests are no longer working and are causing application stability issues. A security engineer discovers that AWS WAF logging is not turned on for the web ACL.

The security engineer needs to immediately return the application to service, resolve the issue, and ensure that logging is not turned off in the future. The security engineer turns on logging for the web ACL and specifies Amazon Cloud-Watch Logs as the destination.

Which additional set of steps should the security engineer take to meet the requirements?

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the AWS WAF resource policy so that AWS WAF administrators cannot remove the logging configuration for any AWS WAF web ACLs.

Edit the rules in the web ACL to include rules with Count and Challenge actions. Review the logs to determine which rule is blocking the request. Modify the IAM policy of all AWS WAF administrators so that they cannot remove the logging configuration for any AWS WAF web ACLs.

8. A company uses several AWS CloudFormation stacks to handle the deployment of a suite of applications. The leader of the company's application development team notices that the stack deployments fail with permission errors when some team members try to deploy the stacks. However, other team members can deploy the stacks successfully.

The team members access the account by assuming a role that has a specific set of permissions that are necessary for the job responsibilities of the team members. All team members have permissions to perform operations on the stacks.

Which combination of steps will ensure consistent deployment of the stacks MOST securely? (Select THREE.)

Create a service role that has a composite principal that contains each service that needs the necessary permissions. Configure the role to allow the sts:AssumeRole action.

Create a service role that has cloudformation.amazonaws.com as the service principal. Configure the role to allow the sts:AssumeRole action.

For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each CloudFormation stack in the resource field of each policy.

For each required set of permissions, add a separate policy to the role to allow those permissions. Add the ARN of each service that needs the per-missions in the resource field of the corresponding policy.

Update each stack to use the service role.

Add a policy to each member role to allow the iam:PassRole action. Set the policy's resource field to the ARN of the service role.

9. A company that uses AWS Organizations is migrating workloads to AWS. The companys application team determines that the workloads will use Amazon EC2 instances, Amazon S3 buckets, Amazon DynamoDB tables, and Application Load Balancers.

For each resource type, the company mandates that deployments must comply with the following requirements:

• All EC2 instances must be launched from approved AWS accounts.

• All DynamoDB tables must be provisioned with a standardized naming convention.

• All infrastructure that is provisioned in any accounts in the organization must be deployed by AWS CloudFormation templates.

Which combination of steps should the application team take to meet these requirements? (Select TWO.)

Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the template to be used specifically by the application AWS account.

Create CloudFormation templates in an application AWS account. Share the output with an administrator AWS account to review compliant resources. Restrict output to only the administrator AWS account.

Use permissions boundaries to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met.

Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met.

Activate AWS Config managed rules for each service in the application AWS account.

10. During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agent

Why were there no alerts on the sudo commands?

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Page 2 of 8

11. A company is using Amazon Macie, AWS Firewall Manager, Amazon Inspector, and AWS Shield Advanced in its AWS account. The company wants to receive alerts if a DDoS attack occurs against the account.

Which solution will meet this requirement?

Use Macie to detect an active DDoS event. Create Amazon CloudWatch alarms that respond to Macie findings.

Use Amazon Inspector to review resources and to invoke Amazon CloudWatch alarms for any resources that are vulnerable to DDoS attacks.

Create an Amazon CloudWatch alarm that monitors Firewall Manager metrics for an active DDoS event.

Create an Amazon CloudWatch alarm that monitors Shield Advanced metrics for an active DDoS event.

12. Which of the following are valid configurations for using SSL certificates with Amazon CloudFront? (Select THREE)

Default AWS Certificate Manager certificate

Custom SSL certificate stored in AWS KMS

Default CloudFront certificate

Custom SSL certificate stored in AWS Certificate Manager

Default SSL certificate stored in AWS Secrets Manager

Custom SSL certificate stored in AWS IAM

13. There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours.

Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

14. A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.

Which solutions will provide the Lambda function this access? (Select TWO.)

Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the access key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.

Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.

Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.

Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the principal.

Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the security group I

15. A company accidentally deleted the private key for an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance. A security engineer needs to regain access to the instance.

Which combination of steps will meet this requirement? (Choose two.)

Stop the instance. Detach the root volume. Generate a new key pair.

Keep the instance running. Detach the root volume. Generate a new key pair.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new public key. Move the volume back to the original instance. Start the instance.

When the volume is detached from the original instance, attach the volume to another instance as a data volume. Modify the authorized_keys file with a new private key. Move the volume back to the original instance. Start the instance.

16. A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

Use IAM Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

17. A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.

Which set of actions should the security team implement to accomplish this?

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations master account and apply it to the organization.

Create an SCP to deny the cloudtrail:Delete" and cloudtrail:Stop' actions. Apply the SCP to all accounts.

18. A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.

How can the security engineer meet these requirements?

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.

Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.

Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

19. A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overhead

Which solution will meet these requirements?

1 Put all users into an IAM group with an access policy granting access to the J bucket.

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

20. Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systems

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

Page 3 of 8

21. A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.

The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.

Which solution meets these requirements?

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Analyze VPC flow logs for activity by searching for the access key

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

22. A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membership

What should the security engineer do to meet these requirements''

Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

23. A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

24. Your company is planning on using bastion hosts for administering the servers in IAM.

Which of the following is the best description of a bastion host from a security perspective?

A Bastion host should be on a private subnet and never a public subnet due to security concerns

A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network

Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

A Bastion host should maintain extremely tight security and monitoring as it is available to the public

25. A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.

As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?

Create a new role and add each user to the IAM role

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Create a policy and apply it to multiple users using a JSON script

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

26. A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.

Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO)

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Create focal database users for each module

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

27. A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.

An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.

Which solution meets these requirements?

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

28. A company hosts a web application on an Apache web server. The application runs on Amazon EC2 instances that are in an Auto Scaling group. The company configured the EC2 instances to send the Apache web server logs to an Amazon CloudWatch Logs group that the company has configured to expire after 1 year.

Recently, the company discovered in the Apache web server logs that a specific IP address is sending suspicious requests to the web application. A security engineer wants to analyze the past week of Apache web server logs to determine how many requests that the IP address sent and the corresponding URLs that the IP address requested.

What should the security engineer do to meet these requirements with the LEAST effort?

Export the CloudWatch Logs group data to Amazon S3. Use Amazon Macie to query the logs for the specific IP address and the requested URLs.

Configure a CloudWatch Logs subscription to stream the log group to an Amazon OpenSearch Service cluster. Use OpenSearch Service to analyze the logs for the specific IP address and the requested URLs.

Use CloudWatch Logs Insights and a custom query syntax to analyze the CloudWatch logs for the specific IP address and the requested URLs.

Export the CloudWatch Logs group data to Amazon S3. Use AWS Glue to crawl the S3 bucket for only the log entries that contain the specific IP ad-dress. Use AWS Glue to view the results.

29. A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.

How should the company meet these requirements?

Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.

Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NL

Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

30. A company is building a data processing application mat uses AWS Lambda functions. The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0.0.0.0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Page 4 of 8

31. A company has a relational database workload that runs on Amazon Aurora MySQL. According to new compliance standards the company must rotate all database credentials every 30 days. The company needs a solution that maximizes security and minimizes development effort.

Which solution will meet these requirements?

Store the database credentials in AWS Secrets Manager. Configure automatic credential rotation tor every 30 days.

Store the database credentials in AWS Systems Manager Parameter Store. Create an AWS Lambda function to rotate the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Modify the credentials every 30 days.

Store the database credentials in an environment file or in a configuration file. Create an AWS Lambda function to rotate the credentials every 30 days.

32. An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.

How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

33. You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit.

Which of the following is one of the right ways to implement this.

Use S3 SSE and use SSL for data in transit

SSL termination on the ELB

Enabling Proxy Protocol

Enabling sticky sessions on your load balancer

34. A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

35. A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.

What is the MOST cost-effective way to address this security issue?

Set up IAM policies from the Lambda console to hide access to the environment variables.

Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.

Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.

Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.

36. A company wants to protect its website from man in-the-middle attacks by using Amazon CloudFront.

Which solution will meet these requirements with the LEAST operational overhead?

Use the SimpleCORS managed response headers policy.

Use a Lambda@Edge function to add the Strict-Transport-Security response header.

Use the SecurityHeadersPolicy managed response headers policy.

Include the X-XSS-Protection header in a custom response headers policy.

37. A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps account

How should the security learn securely store the API key?

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

38. A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.

How should the security engineer build the MOST secure solution?

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTP

Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

39. A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensitive data.

A security engineer must implement a solution that prevents objects from residing in the S3 bucket for longer than 72 hours.

Which solution will meet these requirements?

Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.

Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

40. A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.

What is the likely cause of this access denial?

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

Place the DB instance in a public subnet.

Place the DB instance in a private subnet.

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

Deploy the ALB in a private subnet.

Page 5 of 8

41. 1.A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2.

The solution must analyze logs in real time, provide message replay, and persist logs.

Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

Amazon Athena

Amazon Kinesis

Amazon SQS

Amazon Elasticsearch

Amazon EMR

42. A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.

Which combination of controls should the security engineer propose? (Select THREE.)

A)

C) Enable multi-factor authentication (MFA) for the root user.

D) Set a strong randomized password and store it in a secure location.

E) Create an access key ID and secret access key, and store them in a secure location.

F) Apply the following permissions boundary to the toot user:

Option A

Option B

Option C

Option D

Option E

Option F

43. A company is using AWS Organizations to manage multiple accounts. The company needs to allow an IAM user to use a role to access resources that are in another organization's AWS account.

Which combination of steps must the company perform to meet this requirement? (Select TWO.)

Create an identity policy that allows the sts: AssumeRole action in the AWS account that contains the resources. Attach the identity policy to the IAM user.

Ensure that the sts: AssumeRole action is allowed by the SCPs of the organization that owns the resources that the IAM user needs to access.

Create a role in the AWS account that contains the resources. Create an entry in the role's trust policy that allows the IAM user to assume the role. Attach the trust policy to the role.

Establish a trust relationship between the IAM user and the AWS account that contains the resources.

Create a role in the IAM user's AWS account. Create an identity policy that allows the sts: AssumeRole action. Attach the identity policy to the role.

44. A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

45. A company has two VPCs in the same AWS Region and in the same AWS account Each VPC uses a CIDR block that does not overlap with the CIDR block of the other VPC One VPC contains AWS Lambda functions that run inside a subnet that accesses the internet through a NAT gateway. The Lambda functions require access to a publicly accessible Amazon Aurora MySQL database that is running in the other VPC

A security engineer determines that the Aurora database uses a security group rule that allows connections from the NAT gateway IP address that the Lambda functions use. The company's security policy states that no database should be publicly accessible.

What is the MOST secure way that the security engineer can provide the Lambda functions with access to the Aurora database?

Move the Aurora database into a private subnet that has no internet access routes in the database's current VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora databases security group to allow access from the private IP addresses of the Lambda functions

Establish a VPC endpoint between the two VPCs in the Aurora database's VPC configure a service VPC endpoint for Amazon RDS In the Lambda functions' VP

configure an interface VPC endpoint that uses the service endpoint in the Aurora database's VPC Configure the service endpoint to allow connections from the Lambda functions.

Establish an AWS Direct Connect interface between the VPCs Configure the Lambda functions to use a new route table that accesses the Aurora database through the Direct Connect interface Configure the Aurora database's security group to allow access from the Direct Connect interface IP address

Move the Lambda functions into a public subnet in their VPC Move the Aurora database into a private subnet in its VPC Configure the Lambda functions to use the Aurora database's new private IP address to access the database Configure the Aurora database to allow access from the public IP addresses of the Lambda functions

46. A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."

Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.

Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.

Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.

Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.

Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.

47. A company is hosting a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application has become the target of a DoS attack. Application logging shows that requests are coming from small number of client IP addresses, but the addresses change regularly.

The company needs to block the malicious traffic with a solution that requires the least amount of ongoing effort.

Which solution meets these requirements?

Create an AWS WAF rate-based rule, and attach it to the AL

Update the security group that is attached to the ALB to block the attacking IP addresses.

Update the ALB subnet's network ACL to block the attacking client IP addresses.

Create a AWS WAF rate-based rule, and attach it to the security group of the EC2 instances.

48. A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athena. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

49. A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

Which statement should the company add to the key policy to meet this requirement?

A)

Option A

Option B

50. A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account

Which solution meets these requirements in the MOST secure way?

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups

Page 6 of 8

51. A company has several workloads running on AWS. Employees are required to authenticate using on-premises ADFS and SSO to access the AWS Management

Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application.

How should the Security Engineer implement employee-only access to this system without changing the application?

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the AL

Define a SAML-based Amazon Cognito user pool and connect it to ADF

Implement AWS SSO in the master account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.

52. There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM.

Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options below

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an IPsec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

53. A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.

The EC2 instances are m an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needs to implement encryption at rest.

Which combination of steps will meet these requirements? (Select TWO.)

Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.

Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.

Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.

Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.

Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

54. A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to help

Mitigate this risk in the future.

What are some ways the engineer could achieve this (Select THREE)?

Use IAM X-Ray to inspect the trafc going to the EC2 instances.

Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

Change the security group conguration to block the source of the attack trafc

Use IAM WAF security rules to inspect the inbound trafc.

Use Amazon Inspector assessment templates to inspect the inbound traffic.

Use Amazon Route 53 to distribute trafc.

55. A company’s public Application Load Balancer (ALB) recently experienced a DDoS attack. To mitigate this issue. the company deployed Amazon CloudFront in front of the ALB so that users would not directly access the Amazon EC2 instances behind the ALB.

The company discovers that some traffic is still coming directly into the ALB and is still being handled by the EC2 instances.

Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront? (Choose two.)

Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the AL

Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the AL

Configure the ALB to forward only requests that contain the custom HTTP header.

Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.

Configure the ALB and CloudFront to use the same

509 certificate that is generated by AWS Certificate Manager (ACM).

56. A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop to file delivery to AWS CloudTrail.

Which solution will meet this requirement?

Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.

Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

Use AWS Systems Manager to ensure that CloudTrail is always turned on.

57. A company needs to store multiple years of financial records. The company wants to use Amazon S3 to store copies of these documents. The company must implement a solution to prevent the documents from being edited, replaced, or deleted for 7 years after the documents are stored in Amazon S3. The solution must also encrypt the documents at rest.

A security engineer creates a new S3 bucket to store the documents.

What should the security engineer do next to meet these requirements?

Configure S3 server-side encryption. Create an S3 bucket policy that has an explicit deny rule for all users for s3:DeleteObject and s3:PutObject API calls. Configure S3 Object Lock to use governance mode with a retention period of 7 years.

Configure S3 server-side encryption. Configure S3 Versioning on the S3 bucket. Configure S3 Object Lock to use compliance mode with a retention period of 7 years.

Configure S3 Versioning. Configure S3 Intelligent-Tiering on the S3 bucket to move the documents to S3 Glacier Deep Archive storage. Use S3 server-side encryption immediately. Expire the objects after 7 years.

Set up S3 Event Notifications and use S3 server-side encryption. Configure S3 Event Notifications to target an AWS Lambda function that will review any S3 API call to the S3 bucket and deny the s3:DeleteObject and s3:PutObject API calls. Remove the S3 event notification after 7 years.

58. An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs.

What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Turn on IAM CloudTrail in each IAM account

Turn on CloudTrail in only the account that will be storing the logs

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

59. A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Select THREE.)

The target instance's security group does not allow traffic from the NL

The target instance's security group is not attached to the NL

The NLB's security group is not attached to the target instance.

The target instance's subnet network ACL does not allow traffic from the NL

The target instance's security group is not using IP addresses to allow traffic from the NL

The target network ACL is not attached to the NL

60. A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

The CMK is used in the attempt does not exist.

The CMK is used in the attempt needs to be rotated.

The CMK is used in the attempt is using the CMK™s key ID instead of the CMK AR

The CMK is used in the attempt is not enabled.

The CMK is used in the attempt is using an alias.

Page 7 of 8

61. A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.

Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.

Which additional configuration steps should the security engineer take to complete the task?

A. For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

B. For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding IAM roles.

C. Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

D. Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

A. Option A

B. Option B

C. Option C

D. Option D

62. A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the Infrastructure Deployment IAM role:

The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services.

Which change to the policy should the security engineer make to resolve these issues?

In the statement block that contains the Sid "Allow use of the key", under the "Condition" block, change StringEquals to StringLike.

In the policy document, remove the statement Dlock that contains the Sid "Enable IAM User Permissions". Add key management policies to the KMS policy.

In the statement block that contains the Sid "Allow use of the Key", under the "Condition" block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

63. A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.

The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the companys visibility of potential anomalous behavior.

Which solution will meet these requirements?

Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.

Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.

Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.

Create an AWS Lambda function that has the appropriate permissions to de-lete the finding whenever a new occurrence is reported.

64. A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

65. A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories.

A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs).

Which solution will meet these requirements?

Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.

Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.

66. A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.

The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.

After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.

What should the security engineer do to isolate the target instance?

Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.

Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.

Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.

Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.

67. Your CTO thinks your IAM account was hacked.

What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?

Use CloudTrail Log File Integrity Validation.

Use IAM Config SNS Subscriptions and process events in real time.

Use CloudTrail backed up to IAM S3 and Glacier.

Use IAM Config Timeline forensics.

68. A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.

To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

69. A company is using AWS Organizations to manage multiple AWS accounts for its hu-man resources, finance, software development, and production departments. All the company's developers are part of the software development AWS account.

The company discovers that developers have launched Amazon EC2 instances that were preconfigured with software that the company has not approved for use. The company wants to implement a solution to ensure that developers can launch EC2 instances with only approved software applications and only in the software development AWS account.

Which solution will meet these requirements?

In the software development account, create AMIS of preconfigured instanc-es that include only approved software. Include the AMI IDs in the condition section of an AWS CloudFormation template to launch the appropriate AMI based on the AWS Region. Provide the developers with the CloudFor-mation template to launch EC2 instances in the software development account.

Create an Amazon EventBridge rule that runs when any EC2 Runlnstances API event occurs in the software development account. Specify AWS Systems Man-ager Run Command as a target of the rule. Configure Run Command to run a script that will install all approved software onto the instances that the developers launch.

Use an AWS Service Catalog portfolio that contains EC2 products with ap-propriate AMIS that include only approved software. Grant the developers permission to portfolio access only the Service Catalog to launch a product in the software development account.

In the management account, create AMIS of preconfigured instances that include only approved software. Use AWS CloudFormation StackSets to launch the AMIS across any AWS account in the organization. Grant the developers permission to launch the stack sets within the management account.

70. Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure.

Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

Use the containers to automate security deployments.

Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.

Segregate containers by host, function, and data classification.

Use Docker Notary framework to sign task definitions.

Enable container breakout at the host kernel.

Page 8 of 8

71. A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.

Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

The CMK that is used in the attempt does not exist.

The CMK that is used in the attempt needs to be rotated.

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK AR

The CMK that is used in the attempt is not enabled.

The CMK that is used in the attempt is using an alias.

72. A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.

Which encryption method will meet these requirements?

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

TAGS:

SCS-C02, SCS-C02 exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get SCS-C02 Dumps Full Version

Q&As: 325
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

SCS-C02 Dumps Guarantee You Pass SCS-C02 Exam Easily

Related

Posts

Amazon AIF-C01 Exam Questions Simulate Actual AIF-C01 Exam

Prepare SOA-C02 Exam with Using SOA-C02 Dump Questions

Online MLS-C01 Exam Dumps Help You Build Confidence

Test Online CLF-C02 Dumps Questions to Be Certified

About Us

EMAIL

Services

Opening Hours