Quiz IT certification exam

Question 1

A corporation is preparing to acquire several companies. A Security Engineer must design a solution to ensure that newly acquired IAM accounts follow the corporation's security best practices. The solution should monitor each Amazon S3 bucket for unrestricted public write access and use IAM managed services.

What should the Security Engineer do to meet these requirements?

Accepted Answer

Set up IAM Systems Manager to monitor S3 bucket policies for public write access.

Answer

Configure Amazon Macie to continuously check the configuration of all S3 buckets.

Answer

Enable IAM Config to check the configuration of each S3 bucket.

Answer

Configure an Amazon EC2 instance to have an IAM role and a cron job that checks the status of all S3 buckets.

Question 2

A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an IAM KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.What should the Security Engineer do to troubleshoot this issue?A) Add the following statement to the IAM managed CMKs: Amazon SCS-C02 image Question 42 7750 09162024005941000000

B)Add the following statement to the CMK key policy: Amazon SCS-C02 image Question 42 7750 09162024005941000000

C)Add the following statement to the CMK key policy: Amazon SCS-C02 image Question 42 7750 09162024005941000000

D)Add the following statement to the CMK key policy: Amazon SCS-C02 image Question 42 7750 09162024005941000000

Accepted Answer

Option D

Answer

Option A

Answer

Option B

Answer

Option C

Question 3

Developers in an organization have moved from a standard application deployment to containers. The Security Engineer is tasked with ensuring that the containers are secure. Which strategies will reduce the attack surface and enhance the security of the containers? (Select TWO.)

Accepted Answer

Use the containers to automate security deployments.

Accepted Answer

Segregate containers by host, function, and data classification.

Answer

Limit resource consumption (CPU, memory), networking connections, ports, and unnecessary container libraries.

Answer

Use Docker Notary framework to sign task definitions.

Answer

Enable container breakout at the host kernel.

Question 4

An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

Accepted Answer

Turn on IAM CloudTrail in each IAM account

Accepted Answer

Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer

Turn on CloudTrail in only the account that will be storing the logs

Answer

Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it

Answer

Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Question 5

An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connectionsWhich the SIMPLEST change that would address this server issue?

Accepted Answer

Create an Amazon CloudFront distribution and configure the ALB as the origin

Answer

Block the malicious IPs with a network access list (NACL).

Answer

Create an IAM Web Application Firewall (WAF). and attach it to the ALB

Answer

Map the application domain name to use Route 53

Question 6

An organization has a multi-petabyte workload that it is moving to Amazon S3, but the CISO is concerned about cryptographic wear-out and the blast radius if a key is compromised. How can the CISO be assured that IAM KMS and Amazon S3 are addressing the concerns? (Select TWO )

Accepted Answer

S3 uses KMS to generate a unique data key for each individual object.

Accepted Answer

The KMS encryption envelope digitally signs the master key during encryption to prevent cryptographic wear-out

Answer

There is no API operation to retrieve an S3 object in its encrypted form.

Answer

Encryption of S3 objects is performed within the secure boundary of the KMS service.

Answer

Using a single master key to encrypt all data includes having a single place to perform audits and usage validation.

Question 7

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure even if the certificate private key is leaked.To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

Accepted Answer

An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites

Answer

An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.

Answer

An HTTPS listener that uses the latest IAM predefined ELBSecuntyPolicy-TLS-1 -2-2017-01 security policy

Answer

A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Question 8

A company has two IAM accounts within IAM Organizations. In Account-1. Amazon EC2 Auto Scaling is launched using a service-linked role. In Account-2. Amazon EBS volumes are encrypted with an IAM KMS key A Security Engineer needs to ensure that the service-linked role can launch instances with these encrypted volumesWhich combination of steps should the Security Engineer take in both accounts? (Select TWO.)

Accepted Answer

Create a KMS grant for the service-linked role with these actions CreateGrant, DescnbeKey Encrypt GenerateDataKey Decrypt, and ReEncrypt

Accepted Answer

Attach an IAM policy to the role attached to the EC2 instances with KMS actions and then allow Account-1 in the KMS key policy.

Answer

Allow Account-1 to access the KMS key in Account-2 using a key policy

Answer

Attach an IAM policy to the service-linked role in Account-1 that allows these actions CreateGrant. DescnbeKey, Encrypt, GenerateDataKey, Decrypt, and ReEncrypt

Answer

Attach an IAM policy to the user who is launching EC2 instances and allow the user to access the KMS key policy of Account-2.

Question 9

During a manual review of system logs from an Amazon Linux EC2 instance, a Security Engineer noticed that there are sudo commands that were never properly alerted or reported on the Amazon CloudWatch Logs agentWhy were there no alerts on the sudo commands?

Accepted Answer

The IAM instance profile on the EC2 instance was not properly configured to allow the CloudWatch Logs agent to push the logs to CloudWatch

Answer

There is a security group blocking outbound port 80 traffic that is preventing the agent from sending the logs

Answer

CloudWatch Logs status is set to ON versus SECURE, which prevents it from pulling in OS security event logs

Answer

The VPC requires that all traffic go through a proxy, and the CloudWatch Logs agent does not support a proxy configuration.

Question 10

A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.Which of the following solutions would provide the MOST scalable solution?

Accepted Answer

Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.

Answer

Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider

Answer

Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Answer

Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token

Question 11

An Incident Response team is investigating an IAM access key leak that resulted in Amazon EC2 instances being launched. The company did not discover the incident until many months later The Director of Information Security wants to implement new controls that will alert when similar incidents happen in the futureWhich controls should the company implement to achieve this? {Select TWO.)

Accepted Answer

Enable VPC Flow Logs in all VPCs Create a scheduled IAM Lambda function that downloads and parses the logs, and sends an Amazon SNS notification for violations.

Accepted Answer

Verify that Amazon GuardDuty is enabled in all Regions, and create an Amazon CloudWatch Events rule for Amazon GuardDuty findings Add an Amazon SNS topic as the rule's target

Answer

Use IAM CloudTrail to make a trail, and apply it to all Regions Specify an Amazon S3 bucket to receive all the CloudTrail log files

Answer

Add the following bucket policy to the company's IAM CloudTrail bucket to prevent log tampering { 'Version': '2012-10-17-, 'Statement': { 'Effect': 'Deny', 'Action': 's3:PutObject', 'Principal': '-', 'Resource': 'arn:IAM:s3:::cloudtrail/IAMLogs/111122223333/*' } } Create an Amazon S3 data event for an PutObject attempts, which sends notifications to an Amazon SNS topic.

Answer

Create a Security Auditor role with permissions to access Amazon CloudWatch Logs m all Regions Ship the logs to an Amazon S3 bucket and make a lifecycle policy to ship the logs to Amazon S3 Glacier.

Question 12

A company's Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company's applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket.The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer's IAM user policy from the centralized account looks like this: Amazon SCS-C02 image Question 52 7760 09162024005941000000

The centralized S3 bucket policy looks like this: Amazon SCS-C02 image Question 52 7760 09162024005941000000

Why is the Security Engineer unable to access the log files?

Accepted Answer

The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket

Answer

The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket.

Answer

The object ACLs are not being updated to allow the users within the centralized account to access the objects

Answer

The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level

Question 13

Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.What is the MOST secure way to meet these requirements?

Accepted Answer

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Answer

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Answer

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

Answer

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

Question 14

A company's Chief Security Officer has requested that a Security Analyst review and improve the security posture of each company IAM account The Security Analyst decides to do this by Improving IAM account root user security.Which actions should the Security Analyst take to meet these requirements? (Select THREE.)

Accepted Answer

Delete the access keys for the account root user in every account.

Accepted Answer

Enable multi-factor authentication (MFA) on every account root user in all accounts.

Accepted Answer

Create a custom IAM policy to limit permissions to required actions for the account root user and attach the policy to the account root user.

Answer

Create an admin IAM user with administrative privileges and delete the account root user in every account.

Answer

Implement a strong password to help protect account-level access to the IAM Management Console by the account root user.

Answer

Attach an IAM role to the account root user to make use of the automated credential rotation in IAM STS.

Question 15

A Security Architect has been asked to review an existing security architecture and identify why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:1 An Application Load Balancer, an internet gateway, and a NAT gateway are configured in the public subnet 2. Database, application, and web servers are configured on three different private subnets.3 The VPC has two route tables: one for the public subnet and one for all other subnets The route table for the public subnet has a 0 0 0 0/0 route to the internet gateway The route table for all other subnets has a 0 0.0.0/0 route to the NAT gateway. All private subnets can route to each other4 Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols5 There are 3 Security Groups (SGs) database application and web Each group limits all inbound and outbound connectivity to the minimum requiredWhich of the following accurately reflects the access control mechanisms the Architect should verify1?

Accepted Answer

Outbound SG configuration on database servers Inbound SG configuration on application servers inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Answer

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Answer

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Answer

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet.

Question 16

A Security Engineer receives alerts that an Amazon EC2 instance on a public subnet is under an SFTP brute force attack from a specific IP address, which is a known malicious bot. What should the Security Engineer do to block the malicious bot?

Accepted Answer

Modify the hosted zone in Amazon Route 53 and create a DNS sinkhole for the malicious IP

Answer

Add a deny rule to the public VPC security group to block the malicious IP

Answer

Add the malicious IP to IAM WAF backhsted IPs

Answer

Configure Linux iptables or Windows Firewall to block any traffic from the malicious IP

Question 17

A System Administrator is unable to start an Amazon EC2 instance in the eu-west-1 Region using an IAM role The same System Administrator is able to start an EC2 instance in the eu-west-2 and eu-west-3 Regions. The IAMSystemAdministrator access policy attached to the System Administrator IAM role allows unconditional access to all IAM services and resources within the accountWhich configuration caused this issue?A) An SCP is attached to the account with the following permission statement: Amazon SCS-C02 image Question 57 7765 09162024005941000000

Amazon SCS-C02 image Question 57 7765 09162024005941000000

B)A permission boundary policy is attached to the System Administrator role with the following permission statement: Amazon SCS-C02 image Question 57 7765 09162024005941000000

C)A permission boundary is attached to the System Administrator role with the following permission statement: Amazon SCS-C02 image Question 57 7765 09162024005941000000

D)An SCP is attached to the account with the following statement: Amazon SCS-C02 image Question 57 7765 09162024005941000000

Accepted Answer

Option B

Answer

Option A

Answer

Option C

Answer

Option D

Question 18

A company manages three separate IAM accounts for its production, development, and test environments, Each Developer is assigned a unique IAM user under the development account. A new application hosted on an Amazon EC2 instance in the developer account requires read access to the archived documents stored in an Amazon S3 bucket in the production account.How should access be granted?

Accepted Answer

Create an IAM role in the production account and allow EC2 instances in the development account to assume that role using the trust policy. Provide read access for the required S3 bucket to this role.

Answer

Use a custom identity broker to allow Developer IAM users to temporarily access the S3 bucket.

Answer

Create a temporary IAM user for the application to use in the production account.

Answer

Create a temporary IAM user in the production account and provide read access to Amazon S3. Generate the temporary IAM user's access key and secret key and store these on the EC2 instance used by the application in the development account.

Question 19

A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.Which combination of steps should the company take to meet this requirement? (Select THREE.)

Accepted Answer

Update the web application configuration on the web servers to use HTTPS instead of HTTP when connecting to DynamoDB

Accepted Answer

Update the CloudFront distribution to redirect HTTP corrections to HTTPS

Accepted Answer

Update the ALB listen to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.

Answer

Update the CloudFront distribution. configuring it to optionally use HTTPS when connecting to origins on Amazon S3

Answer

Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate Update the ALB to connect to the target group using HTTPS

Answer

Create a TLS certificate Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.

Question 20

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that I is never accessible directly.How should the security engineer build the MOST secure solution?

Accepted Answer

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only Update the application to validate the CloudFront custom header

Answer

Add an origin custom header Set the viewer protocol policy to HTTP and HTTPS Set the origin protocol pokey to HTTPS only Update the application to validate the CloudFront custom header

Answer

Add an origin custom header Set the viewer protocol policy to HTTPS only Set the origin protocol policy to match viewer Update the application to validate the CloudFront custom header.

Answer

Add an origin custom header Set the viewer protocol policy to redirect HTTP to HTTPS Set the origin protocol policy to HTTP only Update the application to validate the CloudFront custom header.

Question 21

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer win only accept connections over port 443. even if the ALB is mistakenly configured with an HTTP listenerWhich configuration steps should the security engineer take to accomplish this task?

Accepted Answer

Create a security group with a single inbound rule that allows connections from 0.0.0 0/0 on port 443. Ensure this security group is the only one associated with the ALB

Answer

Create a security group with a rule that denies Inbound connections from 0.0.0 0/0 on port 00. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.

Answer

Create a network ACL that denies inbound connections from 0 0.0.0/0 on port 80 Associate the network ACL with the VPC s internet gateway

Answer

Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.

Question 22

A company created an IAM account for its developers to use for testing and learning purposes Because MM account will be shared among multiple teams of developers, the company wants to restrict the ability to stop and terminate Amazon EC2 instances so that a team can perform these actions only on the instances it owns.Developers were Instructed to tag al their instances with a Team tag key and use the team name in the tag value One of the first teams to use this account is Business Intelligence A security engineer needs to develop a highly scalable solution for providing developers with access to the appropriate resources within the account The security engineer has already created individual IAM roles for each team.Which additional configuration steps should the security engineer take to complete the task?

Accepted Answer

For each team, create an AM policy similar to the one that fellows Populate the ec2: ResourceTag/Team condition key with a proper team name Attach resulting policies to the corresponding IAM roles.

Answer

For each team create an IAM policy similar to the one that follows Populate the IAM TagKeys/Team condition key with a proper team name. Attach the resuming policies to the corresponding IAM roles.

Answer

Tag each IAM role with a Team lag key. and use the team name in the tag value. Create an IAM policy similar to the one that follows, and attach 4 to all the IAM roles used by developers.

Answer

Tag each IAM role with the Team key, and use the team name in the tag value. Create an IAM policy similar to the one that follows, and it to all the IAM roles used by developers.

Question 23

An ecommerce website was down for 1 hour following a DDoS attack Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events The company needs to minimize downtime in its response to similar attacks in the future.Which steps would help achieve this9 (Select TWO )

Accepted Answer

Subscribe to IAM Shield Advanced and reach out to IAM Support in the event of an attack.

Accepted Answer

Use IAM WAF to create rules to respond to such attacks

Answer

Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.

Answer

Use VPC Flow Logs to monitor network: traffic and an IAM Lambda function to automatically block an attacker's IP using security groups.

Answer

Set up an Amazon CloudWatch Events rule to monitor the IAM CloudTrail events in real time use IAM Config rules to audit the configuration, and use IAM Systems Manager for remediation.

Question 24

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately deniedWhich actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

Accepted Answer

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Accepted Answer

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Answer

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Answer

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Answer

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Question 25

A company is using Amazon Elastic Container Service (Amazon ECS) to deploy an application that deals with sensitive data During a recent security audit, the company identified a security issue in which Amazon RDS credentials were stored with the application code In the company's source code repositoryA security engineer needs to develop a solution to ensure that database credentials are stored securely and rotated periodically. The credentials should be accessible to the application only The engineer also needs to prevent database administrators from sharing database credentials as plaintext with other teammates. The solution must also minimize administrate overheadWhich solution meets these requirements?

Accepted Answer

Use IAM Secrets Manager to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use the IAM Systems Manager Parameter Store to generate database credentials. Use an IAM profile for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use IAM Secrets Manager to store database credentials. Use an IAM inline policy for ECS tasks to restrict access to database credentials to specific containers only.

Answer

Use the IAM Systems Manager Parameter Store to store database credentials. Use IAM roles for ECS tasks to restrict access to database credentials lo specific containers only

Question 26

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.How should a security engineer set up IAM KMS to meet these requirements?

Accepted Answer

Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK

Answer

Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK

Answer

Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK

Answer

Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.

Question 27

Amazon GuardDuty has detected communications to a known command and control endpoint from a company's Amazon EC2 instance. The instance was found to be running a vulnerable version of a common web framework. The company's security operations team wants to quickly identity other compute resources with the specific version of that framework installed.Which approach should the team take to accomplish this task?

Accepted Answer

Scan all the EC2 instances with IAM Systems Manager to identify the vulnerable version of the web framework

Answer

Scan all the EC2 instances for noncompliance with IAM Config. Use Amazon Athena to query IAM CloudTrail logs for the framework installation

Answer

Scan all the EC2 instances with the Amazon Inspector Network Reachability rules package to identity instances running a web server with RecognizedPortWithListener findings

Answer

Scan an the EC2 instances with IAM Resource Access Manager to identify the vulnerable version of the web framework

Question 28

A company's security engineer has been tasked with restricting a contractor's IAM account access to the company's Amazon EC2 console without providing access to any other IAM services The contractors IAM account must not be able to gain access to any other IAM service, even it the IAM account rs assigned additional permissions based on IAM group membershipWhat should the security engineer do to meet these requirements''

Accepted Answer

Create an IAM permissions boundary policy that allows Amazon EC2 access Associate the contractor's IAM account with the IAM permissions boundary policy

Answer

Create an mime IAM user policy that allows for Amazon EC2 access for the contractor's IAM user

Answer

Create an IAM group with an attached policy that allows for Amazon EC2 access Associate the contractor's IAM account with the IAM group

Answer

Create a IAM role that allows for EC2 and explicitly denies all other services Instruct the contractor to always assume this role

Question 29

A security engineer has enabled IAM Security Hub in their IAM account, and has enabled the Center for internet Security (CIS) IAM Foundations compliance standard. No evaluation results on compliance are returned in the Security Hub console after several hours. The engineer wants to ensure that Security Hub can evaluate their resources for CIS IAM Foundations compliance.Which steps should the security engineer take to meet these requirements?

Accepted Answer

Ensure that IAM Config. is enabled in the account, and that the required IAM Config rules have been created for the CIS compliance evaluation

Answer

Add full Amazon Inspector IAM permissions to the Security Hub service role to allow it to perform the CIS compliance evaluation

Answer

Ensure that IAM Trusted Advisor Is enabled in the account and that the Security Hub service role has permissions to retrieve the Trusted Advisor security-related recommended actions

Answer

Ensure that the correct trail in IAM CloudTrail has been configured for monitoring by Security Hub and that the Security Hub service role has permissions to perform the GetObject operation on CloudTrails Amazon S3 bucket

Question 30

A developer 15 building a serverless application hosted on IAM that uses Amazon Redshift in a data store. The application has separate modules for read/write and read-only functionality. The modules need their own database users tor compliance reasons.Which combination of steps should a security engineer implement to grant appropriate access' (Select TWO )

Accepted Answer

Configure an IAM poky for each module Specify the ARN of an Amazon Redshift database user that allows the GetClusterCredentials API call

Accepted Answer

Create focal database users for each module

Answer

Configure cluster security groups for each application module to control access to database users that are required for read-only and read/write.

Answer

Configure a VPC endpoint for Amazon Redshift Configure an endpoint policy that maps database users to each application module, and allow access to the tables that are required for read-only and read/write

Answer

Configure an IAM policy for each module Specify the ARN of an IAM user that allows the GetClusterCredentials API call

Question 31

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be ImplementedWhich statement should the security specialist include in the policy?

Accepted Answer

Question 32

A company's policy requires that all API keys be encrypted and stored separately from source code in a centralized security account. This security account is managed by the company's security team However, an audit revealed that an API key is steed with the source code of an IAM Lambda function m an IAM CodeCommit repository in the DevOps accountHow should the security learn securely store the API key?

Accepted Answer

Create a secret in IAM Secrets Manager in the security account to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API

Answer

Create a CodeCommit repository in the security account using IAM Key Management Service (IAM KMS) tor encryption Require the development team to migrate the Lambda source code to this repository

Answer

Store the API key in an Amazon S3 bucket in the security account using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Create a resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable in the IAM CloudFormation template Update the Lambda function code to retrieve the key using the URL and call the API

Answer

Create an encrypted environment variable for the Lambda function to store the API key using IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAM role used by the Lambda function so that the function can decrypt the key at runtime

Question 33

A company's on-premises networks are connected to VPCs using an IAM Direct Connect gateway. The company's on-premises application needs to stream data using an existing Amazon Kinesis Data Firehose delivery stream. The company's security policy requires that data be encrypted in transit using a private network.How should the company meet these requirements?

Accepted Answer

Create a VPC endpoint tor Kinesis Data Firehose. Configure the application to connect to the VPC endpoint.

Answer

Configure an IAM policy to restrict access to Kinesis Data Firehose using a source IP condition. Configure the application to connect to the existing Firehose delivery stream.

Answer

Create a new TLS certificate in IAM Certificate Manager (ACM). Create a public-facing Network Load Balancer (NLB) and select the newly created TLS certificate. Configure the NLB to forward all traffic to Kinesis Data Firehose. Configure the application to connect to the NLB.

Answer

Peer the on-premises network with the Kinesis Data Firehose VPC using Direct Connect. Configure the application to connect to the existing Firehose delivery stream.

Question 34

A company has implemented IAM WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from IAM WAF and then uses the ALB as the distribution's origin.During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

Accepted Answer

Configure IAM WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Answer

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAM Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

Answer

Configure the IAM WAF web ACL so that the web ACL has more capacity units to process all IAM WAF rules faster.

Answer

Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.

Question 35

A security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User=1, User2. and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy: Amazon SCS-C02 image Question 75 7783 09162024005941000000

Amazon SCS-C02 image Question 75 7783 09162024005941000000

When the security engineer tries to add the policy to the S3 bucket, the following error message appears: 'Missing required field Principal.' The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1. User2, and User3. Which solution meets these requirements?A) Amazon SCS-C02 image Question 75 7783 09162024005941000000

B)

C)

D)

Accepted Answer

Option A

Answer

Option B

Answer

Option C

Answer

Option D

Question 36

A company is building an application on IAM that will store sensitive Information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated.What should the security engineer recommend?

Accepted Answer

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in IAM Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Answer

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an IAM Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Answer

Install a database on an Amazon EC2 Instance. Enable third-party disk encryption to encrypt the Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in IAM CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Answer

Set up an IAM CloudHSM cluster with IAM Key Management Service (IAM KMS) to store KMS keys. Set up Amazon RDS encryption using IAM KMS to encrypt the database. Store database credentials in the IAM Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Question 37

A company deployed Amazon GuardDuty In the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected. What should a security engineer do to ensure that the EC2 instances are logged?

Accepted Answer

Use IAM DNS resolvers for all EC2 instances.

Answer

Use IPv6 addresses that are configured for hostnames.

Answer

Configure external DNS resolvers as internal resolvers that are visible only to IAM.

Answer

Configure a third-party DNS resolver with logging for all EC2 instances.

Question 38

A company wants to establish separate IAM Key Management Service (IAM KMS) keys to use for different IAM services. The company's security engineer created the following key policy lo allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructureDeployment IAM role:<img alt="Amazon SCS-C02 image Question 78 7786 09162024005941000000"   width="777" height="593" src="https://examgecko.com/getfile/75ff8eec-1495-4308-b8ce-6a3d3d684bee">The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key (or other services. Which change to the policy should the security engineer make to resolve these issues?

Accepted Answer

In the statement block that contains the Sid 'Allow use of the Key', under the 'Condition' block, change the Kms:ViaService value to ec2.us-east-1 .amazonIAM com.

Answer

In the statement block that contains the Sid 'Allow use of the key', under the 'Condition' block, change StringEquals to StringLike.

Answer

In the policy document, remove the statement Dlock that contains the Sid 'Enable IAM User Permissions'. Add key management policies to the KMS policy.

Answer

In the policy document, add a new statement block that grants the kms:Disable' permission to the security engineer's IAM role.

Question 39

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.Which actions should the company take to secure the images to limit their distribution? (Select TWO.)

Accepted Answer

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Accepted Answer

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Answer

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Answer

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Answer

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Question 40

A company maintains an open-source application that is hosted on a public GitHub repository. While creating a new commit to the repository, an engineer uploaded their IAM access key and secret access key. The engineer reported the mistake to a manager, and the manager immediately disabled the access key.The company needs to assess the impact of the exposed access key. A security engineer must recommend a solution that requires the least possible managerial overhead.Which solution meets these requirements?

Accepted Answer

Analyze an IAM Identity and Access Management (IAM) use report from IAM Trusted Advisor to see when the access key was last used.

Answer

Analyze Amazon CloudWatch Logs for activity by searching for the access key.

Answer

Analyze VPC flow logs for activity by searching for the access key

Answer

Analyze a credential report in IAM Identity and Access Management (IAM) to see when the access key was last used.

Amazon SCS-C02 Practice Test 2

Amazon SCS-C02 Practice Tests