A company needs to retain tog data archives for several years to be compliant with regulations. The tog data is no longer used but It must be retainedWhat Is the MOST secure and cost-effective solution to meet these requirements?

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Archive the data to Amazon S3 and apply a restrictive bucket policy to deny the s3 DeleteOotect API

Archive the data to Amazon S3 Glacier and apply a Vault Lock policy

Archive the data to Amazon S3 and replicate it to a second bucket in a second IAM Region Choose the S3 Standard-Infrequent Access (S3 Standard-1A) storage class and apply a restrictive bucket policy to deny the s3 DeleteObject API

Migrate the log data to a 16 T8 Amazon Elastic Block Store (Amazon EBS) volume Create a snapshot of the EBS volume

A company is running workloads in a single IAM account on Amazon EC2 instances and Amazon EMR clusters a recent security audit revealed that multiple Amazon Elastic Block Store (Amazon EBS) volumes and snapshots are not encryptedThe company's security engineer is working on a solution that will allow users to deploy EC2 Instances and EMR clusters while ensuring that all new EBS volumes and EBS snapshots are encrypted at rest. The solution must also minimize operational overheadWhich steps should the security engineer take to meet these requirements?

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

Create an Amazon Event Bridge (Amazon Cloud watch Events) event with an EC2 instance as the source and create volume as the event trigger. When the event is triggered invoke an IAM Lambda function to evaluate and notify the security engineer if the EBS volume that was created is not encrypted.

Use a customer managed IAM policy that will verify that the encryption ag of the Createvolume context is set to true. Apply this rule to all users.

Create an IAM Config rule to evaluate the conguration of each EC2 instance on creation or modication. Have the IAM Cong rule trigger an IAM Lambdafunction to alert the security team and terminate the instance it the EBS volume is not encrypted. 5

Use the IAM Management Console or IAM CLi to enable encryption by default for EBS volumes in each IAM Region where the company operates.

A developer signed in to a new account within an IAM Organization organizational unit (OU) containing multiple accounts. Access to the Amazon $3 service is restricted with the following SCP. How can the security engineer provide the developer with Amazon $3 access without affecting other account?

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Move the SCP to the root OU of organization to remove the restriction to access Amazon $3.

Add an IAM policy for the developer, which grants $3 access.

Create a new OU without applying the SCP restricting $3 access. Move the developer account to this new OU.

Add an allow list for the developer account for the $3 service.

A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.Which additional steps should the security engineer take to complete the task?

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees'job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees'job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees'job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.

Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

A company deployed IAM Organizations to help manage its increasing number of IAM accounts. A security engineer wants to ensure only principals in the Organization structure can access a specic Amazon S3 bucket. The solution must also minimize operational overheadWhich solution will meet these requirements?

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

1 Put all users into an IAM group with an access policy granting access to the J bucket.

Have the account creation trigger an IAM Lambda function that manages the bucket policy, allowing access to accounts listed in the policy only.

Add an SCP to the Organizations master account, allowing all principals access to the bucket.

Specify the organization ID in the global key condition element of a bucket policy, allowing all principals access.

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMKWhich solution should the c0mpany's security specialist recommend'?

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.

Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct use to use that grant token in their call to encrypt.

Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

A website currently runs on Amazon EC2, wan mostly statics content on the site. Recently the site was subjected to a DDoS attack a security engineer was (asked was redesigning the edge security to helpMitigate this risk in the future.What are some ways the engineer could achieve this (Select THREE)?

Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

Use IAM WAF security rules to inspect the inbound trafc.

Use Amazon Route 53 to distribute trafc.

Use IAM X-Ray to inspect the trafc going to the EC2 instances.

Move the static content to Amazon S3, and front this with an Amazon Cloud Front distribution.

Change the security group conguration to block the source of the attack trafc

Use IAM WAF security rules to inspect the inbound trafc.

Use Amazon Inspector assessment templates to inspect the inbound traffic.

Use Amazon Route 53 to distribute trafc.

You have an S3 bucket defined in IAM. You want to ensure that you encrypt the data before sending it across the wire. What is the best way to achieve this.Please select:

Use the IAM Encryption CLI to encrypt the data first

Enable server side encryption for the S3 bucket. This request will ensure that the data is encrypted first.

Use the IAM Encryption CLI to encrypt the data first

Use a Lambda function to encrypt the data before sending it to the S3 bucket.

Enable client encryption for the bucket

Your company has a set of EC2 Instances defined in IAM. These Ec2 Instances have strict security groups attached to them. You need to ensure that changes to the Security groups are noted and acted on accordingly. How can you achieve this?Please select:

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Use Cloudwatch logs to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use Cloudwatch metrics to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS for the notification.

Use IAM inspector to monitor the activity on the Security Groups. Use filters to search for the changes and use SNS f the notification.

Use Cloudwatch events to be triggered for any changes to the Security Groups. Configure the Lambda function for email notification as well.

Your company has just set up a new central server in a VPC. There is a requirement for other teams who have their servers located in different VPC's in the same region to connect to the central server. Which of the below options is best suited to achieve this requirement.Please select:

Set up VPC peering between the central server VPC and each of the teams VPCs.

Set up IAM DirectConnect between the central server VPC and each of the teams VPCs.

Set up an IPSec Tunnel between the central server VPC and each of the teams VPCs.

None of the above options will work.

There is a requirement for a company to transfer large amounts of data between IAM and an on-premise location. There is an additional requirement for low latency and high consistency traffic to IAM. Given these requirements how would you design a hybrid architecture? Choose the correct answer from the options belowPlease select:

Provision a Direct Connect connection to an IAM region using a Direct Connect partner.

Create a VPN tunnel for private connectivity, which increases network consistency and reduces latency.

Create an iPSec tunnel for private connectivity, which increases network consistency and reduces latency.

Create a VPC peering connection between IAM and the Customer gateway.

A company's IAM account consists of approximately 300 IAM users. Now there is a mandate that an access change is required for 100 IAM users to have unlimited privileges to S3.As a system administrator, how can you implement this effectively so that there is no need to apply the policy at the individual user level?Please select:

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Create a new role and add each user to the IAM role

Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Create a policy and apply it to multiple users using a JSON script

Create an S3 bucket policy with unlimited access which includes each user's IAM account ID

You need to create a policy and apply it for just an individual user. How could you accomplish this in the right way?Please select:

Add an inline policy for the user

Add an IAM managed policy for the user

Add a service policy for the user

Add an inline policy for the user

Your company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective?Please select:

Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

A Bastion host should be on a private subnet and never a public subnet due to security concerns

A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network

Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.

A Bastion host should maintain extremely tight security and monitoring as it is available to the public

Your company uses IAM to host its resources. They have the following requirements1) Record all API calls and Transitions2) Help in understanding what resources are there in the account3) Facility to allow auditing credentials and logins Which services would suffice the above requirementsPlease select:

CloudTrail, IAM Config, IAM Credential Reports

IAM Inspector, CloudTrail, IAM Credential Reports

CloudTrail. IAM Credential Reports, IAM SNS

CloudTrail, IAM Config, IAM Credential Reports

IAM SQS, IAM Credential Reports, CloudTrail

Your CTO is very worried about the security of your IAM account. How best can you prevent hackers from completely hijacking your account?Please select:

Use MFA on all users and accounts, especially on the root account.

Use short but complex password on the root account and any administrators.

Use IAM IAM Geo-Lock and disallow anyone from logging in except for in your city.

Use MFA on all users and accounts, especially on the root account.

Don't write down or remember the root account password after creating the IAM account.

Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?Please select:

Use CloudTrail Log File Integrity Validation.

Use IAM Config SNS Subscriptions and process events in real time.

Use CloudTrail backed up to IAM S3 and Glacier.

Use IAM Config Timeline forensics.

Your development team is using access keys to develop an application that has access to S3 and DynamoDB. A new security policy has outlined that the credentials should not be older than 2 months, and should be rotated. How can you achieve this?Please select:

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Use the application to rotate the keys in every 2 months via the SDK

Use a script to query the creation date of the keys. If older than 2 months, create new access key and update all applications to use it inactivate the old key and delete it.

Delete the user associated with the keys after every 2 months. Then recreate the user again.

Delete the IAM Role associated with the keys after every 2 months. Then recreate the IAM Role again.

You work at a company that makes use of IAM resources. One of the key security policies is to ensure that all data i encrypted both at rest and in transit. Which of the following is one of the right ways to implement this.Please select:

Use S3 SSE and use SSL for data in transit

Enabling sticky sessions on your load balancer

There are currently multiple applications hosted in a VPC. During monitoring it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Address's.Please select:

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block.

Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block.

Add a rule to all of the VPC Security Groups to deny access from the IP Address block.

Modify the Windows Firewall settings on all AMI'S that your organization uses in that VPC to deny access from the IP address block.

A company has a set of EC2 Instances hosted in IAM. The EC2 Instances have EBS volumes which is used to store critical information. There is a business continuity requirement to ensure high availability for the EBS volumes. How can you achieve this?

Use lifecycle policies for the EBS volumes

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances . The application will store highly sensitive user data in Amazon RDS tablesThe application must* Include migration to a different IAM Region in the application disaster recovery plan.* Provide a full audit trail of encryption key administration events* Allow only company administrators to administer keys.* Protect data at rest using application layer encryptionA Security Engineer is evaluating options for encryption key managementWhy should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.

CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys

The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS

CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

A company has multiple Amazon S3 buckets encrypted with customer-managed CMKs Due to regulatory requirements the keys must be rotated every year. The company's Security Engineer has enabled automatic key rotation for the CMKs; however the company wants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

Filter IAM CloudTrail logs for KeyRotaton events

Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events

Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the --key-id parameter to check the CMK rotation date

Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filter Generate New Key events

Auditors for a health care company have mandated that all data volumes be encrypted at rest Infrastructure is deployed mainly via IAM CloudFormation however third-party frameworks and manual deployment are required on some legacy systemsWhat is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

On a recurring basis, update an IAM user policies to require that EC2 instances are created with an encrypted volume

Configure an IAM Config rule lo run on a recurring basis 'or volume encryption

Set up Amazon Inspector rules tor volume encryption to run on a recurring schedule

Use CloudWatch Logs to determine whether instances were created with an encrypted volume

A company became aware that one of its access keys was exposed on a code sharing website 11 days ago. A Security Engineer must review all use of the exposed access keys to determine the extent of the exposure. The company enabled IAM CloudTrail m an regions when it opened the accountWhich of the following will allow (he Security Engineer 10 complete the task?

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

Filter the event history on the exposed access key in the CloudTrail console Examine the data from the past 11 days.

Use the IAM CLI lo generate an IAM credential report Extract all the data from the past 11 days.

Use Amazon Athena to query the CloudTrail logs from Amazon S3 Retrieve the rows for the exposed access key tor the past 11 days.

Use the Access Advisor tab in the IAM console to view all of the access key activity for the past 11 days.

For compliance reasons a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The Engineer must also ensure that no system goes more than 30 days without the latest approved updates being appliedWhat would the MOST efficient way to achieve these goals?

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

Use Amazon inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version

Configure Amazon EC2 Systems Manager to report on instance patch compliance and enforce updates during the defined maintenance windows

Examine IAM CloudTrail togs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances

Update the AMls with the latest approved patches and redeploy each instance during the defined maintenance window

A Security Engineer has been tasked with enabling IAM Security Hub to monitor Amazon EC2 instances fix CVE in a single IAM account The Engineer has already enabled IAM Security Hub and Amazon Inspector m the IAM Management Console and has installed me Amazon Inspector agent on an EC2 instances that need to be monitored.Which additional steps should the Security Engineer lake 10 meet this requirement?

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

Configure the Amazon inspector agent to use the CVE rule package

Configure the Amazon Inspector agent to use the CVE rule package Configure Security Hub to ingest from IAM inspector by writing a custom resource policy

Configure the Security Hub agent to use the CVE rule package Configure IAM Inspector lo ingest from Security Hub by writing a custom resource policy

Configure the Amazon Inspector agent to use the CVE rule package Install an additional Integration library Allow the Amazon Inspector agent to communicate with Security Hub

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromisedWhich combination of actions should the Security team take to respond to (be current modem? (Select TWO.)

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

Respond to the notification and list the actions that have been taken to address the incident

Delete all IAM users and resources in the account

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

A company is deploying an Amazon EC2-based application. The application will include a custom health-checking component that produces health status data in JSON format. A Security Engineer must implement a secure solution to monitor application availability in near-real time by analyzing the hearth status data.Which approach should the Security Engineer use?

Use Amazon CloudWatch monitoring to capture Amazon EC2 and networking metrics Visualize metrics using Amazon CloudWatch dashboards.

Run the Amazon Kinesis Agent to write the status data to Amazon Kinesis Data Firehose Store the streaming data from Kinesis Data Firehose in Amazon Redshift. (hen run a script on the pool data and analyze the data in Amazon Redshift

Write the status data directly to a public Amazon S3 bucket from the health-checking component Configure S3 events to invoke an IAM Lambda function that analyzes the data

Generate events from the health-checking component and send them to Amazon CloudWatch Events. Include the status data as event payloads. Use CloudWatch Events rules to invoke an IAM Lambda function that analyzes the data.

An organization must establish the ability to delete an IAM KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations Which of tne following actions will address this requirement?

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Manually rotate a key within KMS to create a new CMK immediately

Use the KMS import key functionality to execute a delete key operation

Use the schedule key deletion function within KMS to specify the minimum wait period for deletion

Change the KMS CMK alias to immediately prevent any services from using the CMK.

An Application team has requested a new IAM KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different IAM services to limit blast radius.How can an IAM KMS customer master key (CMK) be constrained to work with only Amazon S3?

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the CMK key policy to allow only the Amazon S3 service to use the kms Encrypt action

Configure the CMK key policy to allow IAM KMS actions only when the kms ViaService condition matches the Amazon S3 service name.

Configure the IAM user's policy lo allow KMS to pass a rote lo Amazon S3

Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK

A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instancesThere are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivityWhich of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

The route tables and the outbound rules on the appropriate private subnet security group

The outbound network ACL rules on the private subnet and the Inbound network ACL rules on the public subnet

The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet

The rules on any host-based firewall that may be applied on the Amazon EC2 instances

The Security Group applied to the Application Load Balancer and NAT gateway

That the 0.0.0./0 route in the private subnet route table points to the internet gateway in the public subnet

A company uses a third-party application to store encrypted data in Amazon S3. The company uses another third-party application trial decrypts the data from Amazon S3 to ensure separation of duties Between the applications A Security Engineer warns to separate the permissions using IAM roles attached to Amazon EC2 instances. The company prefers to use native IAM services.Which encryption method will meet these requirements?

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use encrypted Amazon EBS volumes with Amazon default keys (IAM EBS)

Use server-side encryption with customer-provided keys (SSE-C)

Use server-side encryption with IAM KMS managed keys (SSE-KMS)

Use server-side encryption with Amazon S3 managed keys (SSE-S3)

A recent security audit found that IAM CloudTrail logs are insufficiently protected from tampering and unauthorized access Which actions must the Security Engineer take to address these audit findings? (Select THREE )

Ensure CloudTrail log file validation is turned on

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Ensure CloudTrail log file validation is turned on

Configure an S3 lifecycle rule to periodically archive CloudTrail logs into Glacier for long-term storage

Use an S3 bucket with tight access controls that exists m a separate account

Use Amazon Inspector to monitor the file integrity of CloudTrail log files.

Request a certificate through ACM and use a generated certificate private key to encrypt CloudTrail log files

Encrypt the CloudTrail log files with server-side encryption with IAM KMS-managed keys (SSE-KMS)

A company hosts multiple externally facing applications, each isolated in its own IAM account The company'B Security team has enabled IAM WAF. IAM Config. and Amazon GuardDuty on all accounts. The company's Operations team has also joined all of the accounts to IAM Organizations and established centralized logging for CloudTrail. IAM Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts.How should the Security team accomplish this?

Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts.

Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents.

Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses.

Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations.

A company is using IAM Secrets Manager to store secrets for its production Amazon RDS database. The Security Officer has asked that secrets be rotated every 3 months. Which solution would allow the company to securely rotate the secrets? (Select TWO.)

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a public subnet and an IAM Lambda function outside the VPC. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure the private subnet to use a NAT gateway. Schedule the Lambda function to run every 3 months to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function outside the VPC. Configure the private subnet to use an internet gateway. Schedule the Lambda function to run every 3 months lo rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Schedule the Lambda function to run quarterly to rotate the secrets.

Place the RDS instance in a private subnet and an IAM Lambda function inside the VPC in the private subnet. Configure a Secrets Manager interface endpoint. Schedule the Lambda function to run every 3 months to rotate the secrets.

Amazon SCS-C02 Practice Test 1 - Free Online Exam Questions 1-40

Question 1 / 40

A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS

How should a security engineer implement this solution''

Add the file-system-id efs IAM-region amazonIAM com URL to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system in the EFS security group add the data center IP range to the allow list Mount the EFS using the EFS file system name

Assign an Elastic IP address to Amazon EFS and add the Elastic IP address to the allow list for the data center firewall Install the IAM CLI on the data center-based servers to mount the EFS file system In the EFS security group, add the IP addresses of the data center servers to the allow list Mount the EFS using the Elastic IP address

Add the EFS file system mount target IP addresses to the allow list for the data center firewall In the EFS security group, add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using the IP address of one of the mount targets

Assign a static range of IP addresses for the EFS file system by contacting IAM Support In the EFS security group add the data center server IP addresses to the allow list Use the Linux terminal to mount the EFS file system using one of the static IP addresses

Comment (0)

Amazon SCS-C02 Practice Test 1

Question

Amazon SCS-C02 Practice Tests

Practice Tests