New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. SCS-C02 - AWS Certified Security - Specialty

SCS-C02 Exam Dumps - AWS Certified Security - Specialty

Searching for workable clues to ace the Amazon Web Services SCS-C02 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SCS-C02 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:
Question # 57

A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same 1AM instance profile However three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties

How can a security engineer provide the access to meet these requirements'?

A.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Inventory to select the EC2 instance and connect

B.

Assign an 1AM policy to the 1AM user accounts to provide permission to use AWS Systems Manager Run Command Remove the SSH keys from the EC2 instances Use Run Command to open an SSH connection to the EC2 instance

C.

Assign an 1AM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager Provide the 1AM user accounts with permission to use Systems Manager Remove the SSH keys from the EC2 instances Use Systems Manager Session Manager to select the EC2 instance and connect.

D.

Assign an 1AM policy to the 1AM user accounts to provide permission to use the EC2 service in the AWS Management Console Remove the SSH keys from the EC2 instances Connect to the EC2 instance as the ec2-user through the AWS Management Console's EC2 SSH client method

Full Access
Question # 58

A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI EC2 Image Builder successfully installs the required patches and packages in the security team's AWS account. The security team uses a federated IAM role m the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

What should the security learn do lo launch the EC2 instance successfully

A.

Update the policy that is associated with the federated IAM role to allow the ec2. Describelmages action for the forensic AMI.

B.

Update the policy that is associated with the federated IAM role to allow the ec2 Start Instances action m the security team's AWS account.

C.

Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms. Encrypt and kms Decrypt actions for the federated IAM role.

D.

Update the policy that is associated with the federated IAM role to allow the kms. DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Full Access
Question # 59

What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account? (Select TWO.)

A.

Use the AWS account root user access keys instead of the AWS Management Console.

B.

Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them.

C.

Enable multi-factor authentication for the AWS account root user.

D.

Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.

E.

Do not create access keys for the AWS account root user; instead, create AWS IAM users.

Full Access
Question # 60

A company is running a new workload across accounts that are in an organization in AWS Organizations. All running resources must have a tag of CostCenter, and the tag must have one of three approved values. The company must enforce this policy and must prevent any changes of the CostCenter tag to a non-approved value.

Which solution will meet these requirements?

A.

Create an AWS Config Custom Policy rule by using AWS CloudFormation Guard. Include the tag key of CostCenter and the approved values. Create an SCP that denies the creation of resources when the value of the aws:RequestTag/CostCenter condition key is not one of the three approved values.

B.

Create an AWS CloudTrail trail. Create an Amazon EventBridge rule that includes a rule statement that matches the creation of new resources. Configure the EventBridge rule to invoke an AWS Lambda function that checks for the CostCenter tag. Program the Lambda function to block creation in case of a noncompliant value.

C.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Configure the policy to enforce noncompliant operations. Create an SCP that denies the creation of resources when the aws:RequestTag/CostCenter condition key has a null value.

D.

Enable tag policies for the organization. Create a tag policy that specifies a tag key of CostCenter and the approved values. Create an Amazon EventBridge rule that invokes an AWS Lambda function when a noncompliant tag is created. Program the Lambda function to block changes to the tag.

Full Access
Question # 61

Which of the following bucket policies will ensure that objects being uploaded to a bucket called 'demo' are encrypted.

Please select:

A.
B.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

C.
D.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

E.
F.

C:\Users\wk\Desktop\mudassar\Untitled.jpg

G.
Full Access
Question # 62

A company has created a set of AWS Lambda functions to automate incident response steps for incidents that occur on Amazon EC2 instances. The Lambda functions need to collect relevant artifacts, such as instance ID and security group configuration. The Lambda functions must then write a summary to an Amazon S3 bucket.

The company runs its workloads in a VPC that uses public subnets and private subnets. The public subnets use an internet gateway to access the internet. The private subnets use a NAT gateway to access the internet.

All network traffic to Amazon S3 that is related to the incident response process must use the AWS network. This traffic must not travel across the internet.

Which solution will meet these requirements?

A.

Deploy the Lambda functions to a private subnet in the VPC. Configure the Lambda functions to access the S3 service through the NAT gateway.

B.

Deploy the Lambda functions to a private subnet in the VPC. Create an S3 gateway endpoint to access the S3 service.

C.

Deploy the S3 bucket and the Lambda functions in the same private subnet. Configure the Lambda functions to use the default endpoint for the S3 service.

D.

Deploy an Amazon Simple Queue Service (Amazon SOS) queue and the Lambda functions in the same private subnet. Configure the Lambda functions to send data to the SQS queue. Configure the SOS queue to send data to the S3 bucket.

Full Access
Question # 63

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a userfirst attempts to encrypt using the CMK

Which solution should the c0mpany‘s security specialist recommend‘?

A.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

B.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

C.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name asthe grant token in the call to encrypt.

D.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Full Access
Question # 64

A company's AWS CloudTrail logs are all centrally stored in an Amazon S3 bucket. The security team controls the company's AWS account. The security team must prevent unauthorized access and tampering of the CloudTrail logs.

Which combination of steps should the security team take? (Choose three.)

A.

Configure server-side encryption with AWS KMS managed encryption keys (SSE-KMS)

B.

Compress log file with secure gzip.

C.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to notify the security team of any modifications on CloudTrail log files.

D.

Implement least privilege access to the S3 bucket by configuring a bucket policy.

E.

Configure CloudTrail log file integrity validation.

F.

Configure Access Analyzer for S3.

Full Access
Go to page:

Hot Exams

AZ-900 Dumps
200-301 Dumps
350-401 Dumps
350-701 Dumps
AZ-104 Dumps
CS0-003 Dumps
N10-009 Dumps
SY0-701 Dumps
CAS-005 Dumps
PT0-003 Dumps
ZDTA Dumps