Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Go to page:
Question # 41

A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop to file delivery to AWS CloudTrail.

Which solution will meet this requirement?

A.

Usethe --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.

B.

Create an SCP that includes a Deny rule tor the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

C.

Create an SCP that includes an Allow rule for the cloudtrail. StopLogging action Apply the SCP to all accounts in the OUs.

D.

Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Full Access
Question # 42

A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions The team created an Amazon EC2 instance profile role that uses an AWS managed Readonly Access policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

What should the administrator do to fix the 1AM access issue?

A.

Edit the ReadOnlyAccess policy to add kms:Decrypt actions.

B.

Add the EC2 1AM role as the authorized Principal to the S3 bucket policy.

C.

Attach an inline policy with kms Decrypt permissions to the 1AM role

D.

Attach an inline policy with S3: * permissions to the 1AM role.

Full Access
Question # 43

A security engineer is designing a solution that will provide end-to-end encryption between clients and Docker containers running in Amazon Elastic Container Service (Amazon ECS). This solution will also handle volatile traffic patterns.

Which solution would have the MOST scalability and LOWEST latency?

A.

Configure a Network Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

B.

Configure an Application Load Balancer to terminate the TLS traffic and then re-encrypt the traffic to the containers.

C.

Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers.

D.

Configure Amazon Route 53 to use multivalue answer routing to send traffic to the containers.

Full Access
Question # 44

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.

What should a security engineer do to configure access to these EC2 instances to meet these requirements?

A.

Use the EC2 serial console Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console.

B.

Use EC2 Instance Connect Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 instances to access CloudWatch Logs Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.

C.

Use an EC2 key pair with an EC2 instance that needs SSH access Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save allcommands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatchLogs.

D.

Use AWS Systems Manager Session Manager Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator Provide an IAM policy that allows the IAM account to use Session Manager.

Full Access
Question # 45

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.

The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.

Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

A.

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

B.

Place the DB instance in a public subnet.

C.

Place the DB instance in a private subnet.

D.

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

E.

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

F.

Deploy the ALB in a private subnet.

Full Access
Question # 46

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a userfirst attempts to encrypt using the CMK

Which solution should the c0mpany‘s security specialist recommend‘?

A.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

C.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name asthe grant token in the call to encrypt.

D.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Full Access
Question # 47

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

A.

Use IPv6 addresses that are configured for hostnames.

B.

Configure external DNS resolvers as internal resolvers that are visible only to IAM.

C.

Use IAM DNS resolvers for all EC2 instances.

D.

Configure a third-party DNS resolver with logging for all EC2 instances.

Full Access
Question # 48

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.

Which combination of steps should the company take to meet this requirement? (Select THREE.)

A.

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

B.

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

C.

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

D.

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

E.

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

F.

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Full Access
Go to page: