SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Searching for workable clues to ace the Amazon Web Services SCS-C02 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SCS-C02 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 25

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.

When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation."

Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.

Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached.

Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole.

Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service.

Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint.

Full Access

Question # 26

A company runs workloads on Amazon EC2 instances in VPCs The EC2 instances make requests to Amazon S3 buckets through VPC endpoints. The company uses AWS Organizations to manage its AWS accounts.

The company needs the requests from the EC2 instances to originate from the same VPC that the EC2 instance credentials were issued to.

Which solution will meet this requirement?

Deploy an SCP that includes the S3: * action with the "awsSourceVpc": "S {aws: Ec2lnstanceSourceVpc}" condition.

Edit the VPC endpoints to include the S3:' action with the "aws: Ec2lnstanceSourcePrivatelPv4": "${aws:VpcSourcelp}" condition.

Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.

Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC ID.

Full Access

Question # 27

A company discovers a billing anomaly in its AWS account. A security consultant investigates the anomaly and discovers that an employee who left the company 30 days ago still has access to the account.

The company has not monitored account activity in the past.

The security consultant needs to determine which resources have been deployed or reconfigured by the employee as quickly as possible.

Which solution will meet these requirements?

In AWS Cost Explorer, filter chart data to display results from the past 30 days. Export the results to a data table. Group the data table by re-source.

Use AWS Cost Anomaly Detection to create a cost monitor. Access the detec-tion history. Set the time frame to Last 30 days. In the search area, choose the service category.

In AWS CloudTrail, filter the event history to display results from the past 30 days. Create an Amazon Athena table that contains the data. Parti-tion the table by event source.

Use AWS Audit Manager to create an assessment for the past 30 days. Apply a usage-based framework to the assessment. Configure the assessment to as-sess by resource.

Full Access

Question # 28

A company uses Amazon GuardDuty. The company's security engineer needs lo receive an email notification for every GuardDuty finding that is a High severity level. Which solution will meet this requirement?

Create a verified identity for the email address in Amazon Simple Email Service (Amazon SES) Create an Amazon EventBridge rule that has the SES verified identity as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High seventy findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Create an Amazon EventBridge rule that has the SNS topic as the target Specify GuardDuty as the event source Configure the EventBridge event pattern to match High severity findings.

Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the email address to the SNS topic. Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Security Hub automation rules to publish High severity GuardDuty findings to the SNS topic.

Enable AWS Security Hub Integrate Security Hub with GuardDuty. Use Secunty Hub automation rules to create a custom rule. Configure the custom rule to detect High seventy GuardDuty findings and to send a notification to the email address.

Full Access

Question # 29

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.

Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.

Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.

Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

Full Access

Question # 30

A company uses AWS Organizations to manage a small number of AWS accounts. However, the company plans to add 1 000 more accounts soon. The company allows only a centralized security team to create IAM roles for all AWS accounts and teams. Application teams submit requests for IAM roles to the security team. The security team has a backlog of IAM role requests and cannot review and provision the IAM roles quickly.

The security team must create a process that will allow application teams to provision their own IAM roles. The process must also limit the scope of IAM roles and prevent privilege escalation.

Which solution will meet these requirements with the LEAST operational overhead?

Create an IAM group for each application team. Associate policies with each IAM group. Provision IAM users for each application team member. Add the new IAM users to the appropriate IAM group by using role-based access control (RBAC).

Delegate application team leads to provision IAM rotes for each team. Conduct a quarterly review of the IAM rotes the team leads have provisioned. Ensure that the application team leads have the appropriate training to review IAM roles.

Put each AWS account in its own OU. Add an SCP to each OU to grant access to only the AWS services that the teams plan to use. Include conditions tn the AWS account of each team.

Create an SCP and a permissions boundary for IAM roles. Add the SCP to the root OU so that only roles that have the permissions boundary attached can create any new IAM roles.

Full Access

Answer:

Explanation:

To create a process that will allow application teams to provision their own IAM roles, while limiting the scope of IAM roles and preventing privilege escalation, the following steps are required:

Create a service control policy (SCP) that defines the maximum permissions that can be granted to any IAM role in the organization. An SCP is a type of policy that you can use with AWS Organizations to manage permissions for all accounts in your organization. SCPs restrict permissions for entities in member accounts, including each AWS account root user, IAM users, and roles.For more information, see Service control policies overview.

Create a permissions boundary for IAM roles that matches the SCP. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. A permissions boundary allows an entity to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.For more information, see Permissions boundaries for IAM entities.

Add the SCP to the root organizational unit (OU) so that it applies to all accounts in the organization. This will ensure that no IAM role can exceed the permissions defined by the SCP, regardless of how it is created or modified.

Instruct the application teams to attach the permissions boundary to any IAM role they create. This will prevent them from creating IAM roles that can escalate their own privileges or access resources they are not authorized to access.

This solution will meet the requirements with the least operational overhead, as it leverages AWS Organizations and IAM features to delegate and limit IAM role creation without requiring manual reviews or approvals.

The other options are incorrect because they either do not allow application teams to provision their own IAM roles (A), do not limit the scope of IAM roles or prevent privilege escalation (B), or do not take advantage of managed services whenever possible Â©.

Verified References:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

Question # 31

A company has a new partnership with a vendor. The vendor will process data from the company's customers. The company will upload data files as objects into an Amazon S3 bucket. The vendor will download the objects to perform data processing. The objects will contain sensi-tive data.

A security engineer must implement a solution that prevents objects from resid-ing in the S3 bucket for longer than 72 hours.

Which solution will meet these requirements?

Use Amazon Macie to scan the S3 bucket for sensitive data every 72 hours. Configure Macie to delete the objects that contain sensitive data when they are discovered.

Configure an S3 Lifecycle rule on the S3 bucket to expire objects that have been in the S3 bucket for 72 hours.

Create an Amazon EventBridge scheduled rule that invokes an AWS Lambda function every day. Program the Lambda function to remove any objects that have been in the S3 bucket for 72 hours.

Use the S3 Intelligent-Tiering storage class for all objects that are up-loaded to the S3 bucket. Use S3 Intelligent-Tiering to expire objects that have been in the S3 bucket for 72 hours.

Full Access

Question # 32

A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances.

The security engineer wants lo monitor, store, and access all session activity logs. The logs must be encrypted.

Which solution will meet these requirements?

Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.

Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Full Access