SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Searching for workable clues to ace the Amazon Web Services SCS-C02 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SCS-C02 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

Question # 113

An online media company has an application that customers use to watch events around the world. The application is hosted on a fleet of Amazon EC2 instances that run Amazon Linux 2. The company uses AWS Systems Manager to manage the EC2 instances. The company applies patches and application updates by using the AWS-AmazonLinux2DefaultPatchBaseline patching baseline in Systems Manager Patch Manager.

The company is concerned about potential attacks on the application during the week of an upcoming event. The company needs a solution that can immediately deploy patches to all the EC2 instances in response to a security incident or vulnerability. The solution also must provide centralized evidence that the patches were applied successfully.

Which combination of steps will meet these requirements? (Select TWO.)

Create a new patching baseline in Patch Manager. Specify Amazon Linux 2 as the product. Specify Security as the classification. Set the automatic approval for patches to 0 days. Ensure that the new patching baseline is the designated default for Amazon Linux 2.

Use the Patch Now option with the scan and install operation in the Patch Manager console to apply patches against the baseline to all nodes. Specify an Amazon S3 bucket as the patching log storage option.

Use the Clone function of Patch Manager to create a copy of the AWS-AmazonLinux2DefaultPatchBaseline built-in baseline. Set the automatic approval for patches to 1 day.

Create a patch policy that patches all managed nodes and sends a patch operation log output to an Amazon S3 bucket. Use a custom scan schedule to set Patch Manager to check every hour for new patches. Assign the baseline to the patch policy.

Use Systems Manager Application Manager to inspect the package versions that were installed on the EC2 instances. Additionally, use Application Manager to validate that the patches were correctly installed.

Full Access

Question # 114

A company needs to retain data that is stored in Amazon CloudWatch Logs log groups The company must retain this data for 90 days. The company must receive notification in AWS Security Hub when log group retention is not compliant with this requirement.

Which solution will provide the appropriate notification?

Create a Security Hub custom action to assess the log group retention period.

Create a data protection policy in CloudWatch Logs to assess the log group retention period.

Create a Security Hub automation rule Configure the automation rule to assess the log group retention period.

Use the AWS Config managed rule that assesses the log group retention period Ensure that AWS Config integration is enabled in Security Hub.

Full Access

Question # 115

A security engineer needs to configure an Amazon S3 bucket policy to restrict access to an S3 bucket that is named DOC-EXAMPLE-BUCKET. The policy must allow access to only DOC-EXAMPLE-BUCKET from only the following endpoint vpce-1a2b3c4d. The policy must deny all access to DOC-EXAMPLE-BUCKET if the specified endpomt is not used.

Which bucket policy statement meets these requirements?

Full Access

Question # 116

A company is using AWS Organizations to implement a multi-account strategy. The company does not have on-premises infrastructure. All workloads run on AWS. The company currently has eight member accounts. The company anticipates that it will have no more than 20 AWS accounts total at any time.

The company issues a new security policy that contains the following requirements:

â€¢ No AWS account should use a VPC within the AWS account for workloads.

â€¢ The company should use a centrally managed VPC that all AWS accounts can access to launch workloads in subnets.

â€¢ No AWS account should be able to modify another AWS account's application resources within the centrally managed VPC.

â€¢ The centrally managed VPC should reside in an existing AWS account that is named Account-A within an organization.

The company uses an AWS CloudFormation template to create a VPC that contains multiple subnets in Account-A. This template exports the subnet IDs through the CloudFormation Outputs section.

Which solution will complete the security setup to meet these requirements?

Use a CloudFormation template in the member accounts to launch workloads. Configure the template to use the Fn::lmportValue function to obtain the subnet ID values.

Use a transit gateway in the VPC within Account-A. Configure the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads.

Use AWS Resource Access Manager (AWS RAM) to share Account-A's VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

Create a peering connection between Account-A and the remaining member accounts. Configure the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads.

Full Access

Answer:

Explanation:

The correct answer is C. Use AWS Resource Access Manager (AWS RAM) to share Account-Aâ€™s VPC subnets with the remaining member accounts. Configure the member accounts to use the shared subnets to launch workloads.

This answer is correct because AWS RAM is a service that helps you securely share your AWS resources across AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types1.One of the supported resource types is VPC subnets2, which means you can share the subnets in Account-Aâ€™s VPC with the other member accounts using AWS RAM. This way, you can meet the requirements of using a centrally managed VPC, avoiding duplicate VPCs in each account, and launching workloads in shared subnets.You can also control the access to the shared subnets by using IAM policies and resource-based policies3, which can prevent one account from modifying another accountâ€™s resources.

The other options are incorrect because:

A.Using aCloudFormation template in the member accounts to launch workloads and using the Fn::ImportValue function to obtain the subnet ID values is not a solution, because Fn::ImportValue can only import values that have been exported by another stack within the same region4. This means that you cannot use Fn::ImportValue to reference the subnet IDs that are exported by Account-Aâ€™s CloudFormation template, unless all the member accounts are in the same region as Account-A. This option also does not avoid creating duplicate VPCs in each account, which is one of the requirements.

B. Using a transit gateway in the VPC within Account-A and configuring the member accounts to use the transit gateway to access the subnets in Account-A to launch workloads is not a solution, because a transit gateway does not allow you to launch workloads in another accountâ€™s subnets.A transit gateway is a network transit hub that enables you to route traffic between your VPCs and on-premises networks5, but it does not enable you to share subnets across accounts.

D. Creating a peering connection between Account-A and the remaining member accounts and configuring the member accounts to use the subnets in Account-A through the VPC peering connection to launch workloads is not a solution, because a VPC peering connection does not allow you to launch workloads in another accountâ€™s subnets.A VPC peering connection is a networking connection betweentwo VPCs that enables you to route traffic between them privately6, but it does not enable you to share subnets across accounts.

[References:, 1:What is AWS Resource Access Manager?2:Shareable AWS resources3:Managing permissions for shared resources4:Fn::ImportValue5:What is a transit gateway?6:What is VPC peering?, , , , , ]

Question # 117

A company needs to detect unauthenticated access to its Amazon Elastic Kubernetes Service (Amazon EKS) clusters. The company needs a solution that requires no additional configuration of the existing EKS deployment.

Which solution will meet these requirements with the LEAST operational effort?

Install an Amazon EKS add-on from a security vendor.

Enable AWS Security Hub. Monitor the Kubernetes findings.

Monitor Amazon CloudWatch Container Insights metrics for Amazon EKS.

Enable Amazon GuardDuty. Use EKS Audit Log Monitoring.

Full Access

Question # 118

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP.

How can the security engineer provide the developer with Amazon $3 access without affecting other account?

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

Full Access

Question # 119

A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources.

The company needs to replicate its workloads and infrastructure to the us-west-1 Region.

A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service(AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one Region is available.

The security engineer uses Secrets Manager to create the secrets in us-east-1.

What should the security engineer do next to meet the requirements?

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using a newAWS managed KMS key in us-west-1.

Encrypt the secrets in us-east-1 by using an AWS managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Configure resources in us-west-1 to call the Secrets Manager endpoint in us-east-1.

Encrypt the secrets in us-east-1 by using a customer managed KMS key. Replicate the secrets to us-west-1. Encrypt the secrets in us-west-1 by using thecustomer managed KMS key from us-east-1.

Full Access

Question # 120

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.

Which set of actions should the security team implement to accomplish this?

Create a new trail and configure it to send CloudTraiI logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.

Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Edit the existing trail in the Organizations management account and apply it to the organization.

Create an SCP to deny the cloudtraiI:DeIeteâ€¢ and cloudtraiI:Stopâ€¢ actbns. Apply the SCP to all accounts.

Full Access

Answer:

Explanation:

The correct answer is C. Edit the existing trail in the Organizations management account and apply it to the organization.

The reason is that this is the simplest and most effective way to ensure that there is at least one trail configured for all existing accounts and for any account that is created in the future.According to the AWS documentation1, â€œIf you have created an organization in AWS Organizations, you can create a trail that logs all events for all AWS accounts in that organization.This is sometimes called an organization trail.â€ The documentation1also states that â€œThe management account for the organization can edit an existing trail in their account, and apply it to an organization, making it an organization trail. Organization trails log events for the management account and all member accounts in the organization.â€ Therefore, by editing the existing trail in the management account and applying it to the organization, the security team can ensure that all accounts are sending CloudTrail logs to a centralized S3 logging bucket.

The other options are incorrect because:

A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped. This option is not sufficient to ensure that there is at least one trail configured for all accounts, because it does not prevent users from deleting or stopping the trail in their accounts. Even if EventBridge sends a notification, the security team would have to manually restore or restart the trail, which is not efficient or scalable.

B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed. This option is not optimal because it requires deploying and maintaining a Lambda function in every account, which adds complexity and cost. Moreover, it does not prevent users from deleting or stopping the trail after it is created by the Lambda function.

D. Create an SCP to deny the cloudtrail:Delete and cloudtrail:Stop actions. Apply the SCP to all accounts. This option is not sufficient to ensure that there is at least one trail configured for all accounts, because it does not create or apply a trail in the first place. It only prevents users from deleting or stopping an existing trail, but it does not guarantee that a trail exists in every account.

Go to page: