SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Searching for workable clues to ace the Amazon Web Services SCS-C02 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SCS-C02 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

Question # 97

A company is implementing a customized notification solution to detect repeated unauthorized authentication attempts to bastion hosts. The company's security engineer needs to implement a solution that will provide notification when 5 failed attempts occur within a 5-minute period. The solution must use native AWS services and must notify only the designated system administrator who is assigned to the specific bastion host.

Which solution will meet these requirements?

Use the Amazon CloudWatch agent to collect operating system logs. Use Amazon EventBridge to configure an alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use Amazon EC2 instance tags to determine which SNS topics receive notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon EventBridge event based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use the Amazon CloudWatch agent to collect operating system logs Create a CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use SNS messaging filters to control who receives notifications.

Use AWS Systems Manager Agent to collect operating system logs. Use the Systems Manager Run Command AWS-ConfigureCloudWatch document to configure an Amazon CloudWatch alarm based on a metric filter for failed login attempts. Send an alert to Amazon Simple Notification Service (Amazon SNS) when the defined threshold for the alarm is exceeded. Use EC2 instance tags to determine which SNS topics receive notifications.

Full Access

Question # 98

A company wants to know when users make changes to IAM roles in the company's AWS account. The company uses Amazon CloudWatch and AWS CloudTrail in the account. The company has configured a CloudTrail trail to capture read and write API activity for management events. The company has an Amazon Simple Notification Service (Amazon SNS) topic for security notifications.

A security engineer must implement a solution that provides a notification when an IAM role is edited.

Which solution will meet this requirement?

Enable Amazon Detective. Run a Detective investigation for changes to IAM roles. Create an Amazon EventBridge rule that monitors the results of the Detective investigation. Set the SNS topic as the target of the EventBridge rule.

Create an Amazon EventBridge rule that monitors AWS API calls from CloudTrail. Scope the event pattern to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the EventBridge rule.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Set up a CloudWatch metric to monitor changes to IAM roles from the lam.amazonaws.com event source. Create a subscription filter for the log group. Set the SNS topic as the target of the subscription filter.

Create a new CloudWatch log group. Configure the CloudTrail trail to send events to the new log group. Create a subscription filter that includes an event pattemn to monitor changes to IAM roles from the lam.amazonaws.com event source. Set the SNS topic as the target of the subscription filter.

Full Access

Question # 99

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Turn on IAM CloudTrail in each IAM account

Turn on CloudTrail in only the account that will be storing the logs

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Full Access

Question # 100

A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

Which statement should the company add to the key policy to meet this requirement?

Option A

Option B

Full Access

Question # 101

A company has a legacy application that runs on a single Amazon EC2 instance. A security audit shows that the application has been using an IAM access key within its code to access an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET1 in the same AWS account. This access key pair has the s3:GetObject permission to all objects in only this S3 bucket. The company takes the application offline because the application is not compliant with the companyâ€™s security policies for accessing other AWS resources from Amazon EC2.

A security engineer validates that AWS CloudTrail is turned on in all AWS Regions. CloudTrail is sending logs to an S3 bucket that is named DOC-EXAMPLE-BUCKET2. This S3 bucket is in the same AWS account as DOC-EXAMPLE-BUCKET1. However, CloudTrail has not been configured to send logs to Amazon CloudWatch Logs.

The company wants to know if any objects in DOC-EXAMPLE-BUCKET1 were accessed with the IAM access key in the past 60 days. If any objects were accessed, the company wants to know if any of the objects that are text files (.txt extension) contained personally identifiable information (PII).

Which combination of steps should the security engineer take to gather this information? (Choose two.)

Configure Amazon Macie to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon CloudWatch Logs Insights to identify any objects in DOC-EXAMPLE-BUCKET1 that contain PII and that were available to the access key.

Use Amazon OpenSearch Service (Amazon Elasticsearch Service) to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for API calls that used the access key to access an object that contained PII.

Use Amazon Athena to query the CloudTrail logs in DOC-EXAMPLE-BUCKET2 for any API calls that used the access key to access an object that contained PII.

Use AWS Identity and Access Management Access Analyzer to identify any API calls that used the access key to access objects that contained PII in DOC-EXAMPLE-BUCKET1.

Full Access

Question # 102

A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3.

The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to access the data in Amazon S3. The vendor list might change weekly.

The security engineer needs to find a solution that supports cross-account access.

Which solution is the MOST operationally efficient way to manage access control for the customer managed key?

Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.

Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.

Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.

Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Full Access

Question # 103

A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2 Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new finding.

The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function also sends the message to the application's API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the Lambda function as the target.

After the EventBridge rule is implemented, the channel begins to constantly receive alerts from Security Hub. Many of the alerts are Amazon Inspector alerts that do not require any action. The security engineer wants to stop the Amazon Inspector alerts.

Which solution will meet this requirement with the LEAST operational effort?

Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic subscriptions to reject any messages that contain the product/aws/inspector string.

Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.

Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.

Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to "anything-but": ["arn:aws:securityhub:us-west-2::product/aws/inspector"].

Full Access

Question # 104

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company's security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?

Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.

Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.

Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.

Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Full Access