Quiz IT certification exam

Question 1

A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.

How should the security engineer prevent unauthorized access to the EC2 instances?

Become a Premium Member for full access

Unlock Premium Member

Accepted Answer

Restrict SSH access in the security group to only known corporate IP addresses.

Answer

Delete the key pair from the EC2 console. Create a new key pair.

Answer

Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Answer

Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.

Question 2

A company uses an external identity provider to allow federation into different IAM accounts. A security engineer for the company needs to identify the federated user that terminated a production Amazon EC2 instance a week ago.What is the FASTEST way for the security engineer to identify the federated user?

Accepted Answer

Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

Answer

Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

Answer

Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

Answer

Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Question 3

An audit determined that a company's Amazon EC2 instance security group violated company policy by allowing unrestricted incoming SSH traffic. A security engineer must implement a near-real-time monitoring and alerting solution that will notify administrators of such violations.Which solution meets these requirements with the MOST operational efficiency?

Accepted Answer

Use the restricted-ssh IAM Config managed rule that is invoked by security group configuration changes that are not compliant. Use the IAM Config remediation feature to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic.

Answer

Create a recurring Amazon Inspector assessment run that runs every day and uses the Network Reachability package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.

Answer

Configure VPC Flow Logs for the VPC. and specify an Amazon CloudWatch Logs group. Subscribe the CloudWatch Logs group to an IAM Lambda function that parses new log entries, detects successful connections on port 22, and publishes a notification through Amazon Simple Notification Service (Amazon SNS).

Answer

Create a recurring Amazon Inspector assessment run that runs every day and uses the Security Best Practices package. Create an Amazon CloudWatch rule that invokes an IAM Lambda function when an assessment run starts. Configure the Lambda function to retrieve and evaluate the assessment run report when it completes. Configure the Lambda function also to publish an Amazon Simple Notification Service (Amazon SNS) notification if there are any violations for unrestricted incoming SSH traffic.

Question 4

A company manages multiple IAM accounts using IAM Organizations. The company's security team notices that some member accounts are not sending IAM CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured (or all existing accounts and for any account that is created in the future.Which set of actions should the security team implement to accomplish this?

Accepted Answer

Edit the existing trail in the Organizations master account and apply it to the organization.

Answer

Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.

Answer

Deploy an IAM Lambda function in every account to check if there is an existing trail and create a new trail, if needed.

Answer

Create an SCP to deny the cloudtrail:Delete' and cloudtrail:Stop' actions. Apply the SCP to all accounts.

Question 5

A company's cloud operations team is responsible for building effective security for IAM cross-account access. The team asks a security engineer to help troubleshoot why some developers in the developer account (123456789012) in the developers group are not able to assume a cross-account role (ReadS3) into a production account (999999999999) to read the contents of an Amazon S3 bucket (productionapp). The two account policies are as follows:<img alt="Amazon SCS-C02 image Question 85 7793 09162024005941000000"   width="523" height="840" src="https://examgecko.com/getfile/1491e9da-8c81-4b72-b168-2a592fa0f791">Which recommendations should the security engineer make to resolve this issue? (Select TWO.)

Accepted Answer

Ask the developers to change their password and use a different web browser.

Accepted Answer

Update the trust relationship policy on the production account S3 role to allow the account number of the developer account.

Answer

Ensure that developers are using multi-factor authentication (MFA) when they log in to their developer account as the developer role.

Answer

Modify the production account ReadS3 role policy to allow the PutBucketPolicy action on the productionapp S3 bucket.

Answer

Update the developer group permissions in the developer account to allow access to the productionapp S3 bucket.

Question 6

A company is using IAM Organizations to develop a multi-account secure networking strategy. The company plans to use separate centrally managed accounts for shared services, auditing, and security inspection. The company plans to provide dozens of additional accounts to application owners for production and development environments.Company security policy requires that all internet traffic be routed through a centrally managed security inspection layer in the security inspection account. A security engineer must recommend a solution that minimizes administrative overhead and complexity.Which solution meets these requirements?

Accepted Answer

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed transit gateway and to create a default route to the transit gateway in the default route table. Create an SCP that denies the AttachlnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Answer

Use IAM Control Tower. Modify the default Account Factory networking template to automatically associate new accounts with a centrally managed VPC through a VPC peering connection and to create a default route to the VPC peer in the default route table. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account.

Answer

Create a centrally managed VPC in the security inspection account. Establish VPC peering connections between the security inspection account and other accounts. Instruct account owners to create default routes in their account route tables that point to the VPC peer. Create an SCP that denies the Attach InternetGateway action. Attach the SCP to all accounts except the security inspection account.

Answer

Enable IAM Resource Access Manager (IAM RAM) for IAM Organizations. Create a shared transit gateway, and make it available by using an IAM RAM resource share. Create an SCP that denies the CreatelnternetGateway action. Attach the SCP to all accounts except the security inspection account. Create routes in the route tables of all accounts that point to the shared transit gateway.

Question 7

A company plans to create individual child accounts within an existing organization in IAM Organizations for each of its DevOps teams. IAM CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized IAM account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.How can the security engineer meet these requirements?

Accepted Answer

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Answer

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the IAM account root user.

Answer

Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the IAM account root user in the source account.

Answer

Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

Question 8

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

Accepted Answer

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Accepted Answer

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Answer

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Answer

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Answer

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Question 9

A company is running an application in The eu-west-1 Region. The application uses an IAM Key Management Service (IAM KMS) CMK to encrypt sensitive data. The company plans to deploy the application in the eu-north-1 Region.A security engineer needs to implement a key management solution for the application deployment in the new Region. The security engineer must minimize changes to the application code.Which change should the security engineer make to the IAM KMS configuration to meet these requirements?

Accepted Answer

Allocate a new CMK to eu-north-1 to be used by the application that is deployed in that Region.

Answer

Update the key policies in eu-west-1. Point the application in eu-north-1 to use the same CMK as the application in eu-west-1.

Answer

Allocate a new CMK to eu-north-1. Create the same alias name for both keys. Configure the application deployment to use the key alias.

Answer

Allocate a new CMK to eu-north-1. Create an alias for eu-'-1. Change the application code to point to the alias for eu-'-1.

Question 10

A development team is using an IAM Key Management Service (IAM KMS) CMK to try to encrypt and decrypt a secure string parameter from IAM Systems Manager Parameter Store. However, the development team receives an error message on each attempt.Which issues that are related to the CMK could be reasons for the error? (Select TWO.)

Accepted Answer

The CMK that is used in the attempt does not exist.

Accepted Answer

The CMK that is used in the attempt is not enabled.

Answer

The CMK that is used in the attempt needs to be rotated.

Answer

The CMK that is used in the attempt is using the CMK's key ID instead of the CMK ARN.

Answer

The CMK that is used in the attempt is using an alias.

Question 11

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Accepted Answer

Provision EC2 resources by using IAM Cloud Formation templates through IAM CodePipeline. Allow only the values of us-east-1 and us-west-2 in the IAM CloudFormation template's parameters.

Answer

Enable Amazon GuardDuty in all Regions. Create alerts to detect unauthorized activity outside us-east-1 and us-west-2.

Answer

Use an organization in IAM Organizations. Attach an SCP that allows all actions when the IAM: Requested Region condition key is either us-east-1 or us-west-2. Delete the FullIAMAccess policy.

Answer

Create an IAM Config rule to prevent unauthorized activity outside us-east-1 and us-west-2.

Question 12

A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.How can the security engineer implement this solution?

Accepted Answer

Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.

Answer

Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.

Answer

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.

Answer

Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.

Question 13

A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.Which statement should the company add to the key policy to meet this requirement?A) Amazon SCS-C02 image Question 93 7801 09162024005941000000

Amazon SCS-C02 image Question 93 7801 09162024005941000000

B)

Accepted Answer

Option A

Answer

Option B

Question 14

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.Which combination of controls should the security engineer propose? (Select THREE.)A) Amazon SCS-C02 image Question 94 7802 09162024005941000000

Amazon SCS-C02 image Question 94 7802 09162024005941000000

B)

C) Enable multi-factor authentication (MFA) for the root user.D) Set a strong randomized password and store it in a secure location.E) Create an access key ID and secret access key, and store them in a secure location.F) Apply the following permissions boundary to the toot user: Amazon SCS-C02 image Question 94 7802 09162024005941000000

Accepted Answer

Option A

Accepted Answer

Option C

Accepted Answer

Option E

Answer

Option B

Answer

Option D

Answer

Option F

Question 15

A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named 'development.' The solution must persist restrictions to existing and new IAM accounts under the development OU. Amazon SCS-C02 image Question 95 7803 09162024005941000000

Amazon SCS-C02 image Question 95 7803 09162024005941000000

Accepted Answer

Option A

Answer

Option B

Answer

Option C

Answer

Option D

Question 16

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

Accepted Answer

IAM Shield

Accepted Answer

Elastic Load Balancer

Accepted Answer

Amazon GuardDuty

Answer

Amazon Route 53

Answer

IAM Certificate Manager (ACM)

Answer

Amazon S3

Question 17

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.What is the MOST efficient way to implement this solution?

Accepted Answer

Create an Amazon EventBridge (Amazon CloudWatch Events) event with a cloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAM Lambda function to call the StartLogging API.

Answer

Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.

Answer

Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event source and a StopLogging event name to trigger an IAM Lambda function to call the StartLogging API.

Answer

Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.

Question 18

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.What should the security engineer do next?

Accepted Answer

Use Amazon Inspector to detect network-level attacks and trigger an IAM Lambda function to send the suspicious packets to the EC2 instance.

Answer

Place the network interface in promiscuous mode to capture the traffic.

Answer

Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Answer

Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.

Question 19

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.Which SCP should the security engineer attach to the root of the organization to meet these requirements?A) Amazon SCS-C02 image Question 99 7807 09162024005941000000

Amazon SCS-C02 image Question 99 7807 09162024005941000000

B)

C)

D)

Accepted Answer

Option A

Answer

Option B

Answer

Option C

Answer

Option D

Question 20

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.Which solution meets these requirements?

Accepted Answer

Use IAM Systems Manager Parameter Store to store the database credentiais. Configure automatic rotation of the credentials.

Answer

Use IAM Secrets Manager to store the database credentials. Configure automat* rotation of the credentials

Answer

Store the database credentials in an Amazon S3 bucket that is configured with server-side encryption with S3 managed encryption keys (SSE-S3) Rotate the credentials with IAM database authentication.

Answer

Store the database credentials m Amazon S3 Glacier, and use S3 Glacier Vault Lock Configure an IAM Lambda function to rotate the credentials on a scheduled basts

Question 21

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.How can a security engineer meet this requirement?

Accepted Answer

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

Answer

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

Answer

Create an HTTPS listener that uses the Server Order Preference security feature.

Answer

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Question 22

A company's application team wants to replace an internal application with a new IAM architecture that consists of Amazon EC2 instances, an IAM Lambda function, and an Amazon S3 bucket in a single IAM Region. After an architecture review, the security team mandates that no application network traffic can traverse the public internet at any point. The security team already has an SCP in place for the company's organization in IAM Organizations to restrict the creation of internet gateways. NAT gateways, and egress-only gateways.Which combination of steps should the application team take to meet these requirements? (Select THREE.)

Accepted Answer

Create an S3 endpoint that has a full-access policy for the application's VPC.

Accepted Answer

Create a security group that has an outbound rule over port 443 with a destination of the S3 endpomt. Associate the security group with the EC2 instances.

Accepted Answer

Launch the Lambda function in a VPC.

Answer

Create an S3 access point for the S3 bucket. Include a policy that restricts the network origin to VPCs.

Answer

Launch the Lambda function. Enable the block public access configuration.

Answer

Create a security group that has an outbound rule over port 443 with a destination of the S3 access point. Associate the security group with the EC2 instances.

Question 23

A security engineer receives an IAM abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's IAM account is sending phishing email messages.The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP. HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime. Which combination of steps must the security engineer take to meet these requirements? (Select THREE.)

Accepted Answer

Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Accepted Answer

Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance. v

Accepted Answer

Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

Answer

Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Answer

Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

Answer

Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

Question 24

A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.Which combination of options can the company use to meet these requirements? (Select TWO.)

Accepted Answer

Use IAM Key Management Service (IAM KMS) to create a new default IAM managed awa/rds key. Select this key as the encryption key for operations with Amazon RDS.

Accepted Answer

Create a snapshot of the DB instance. Enable encryption on the snapshoVUse the snapshot to restore the DB instance.

Answer

Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.

Answer

Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.

Answer

Use IAM Key Management Service (IAM KMS] to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.

Question 25

A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.A security engineer needs to deny access from the offending IP addresses.Which solution will meet these requirements?

Accepted Answer

Modify the IAM WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.

Answer

Add a rule to all security groups to deny the incoming requests from the IP address range.

Answer

Modify the IAM WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.

Answer

Configure the IAM WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition

Question 26

A company's application team needs to host a MySQL database on IAM. According to the company's security policy, all data that is stored on IAM must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.Which solution will meet these requirements?

Accepted Answer

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM managed CMK in IAM Key Management Service (IAM KMS) for key management.

Answer

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an IAM Key Management Service (IAM KMS) custom key store that is backed by IAM CloudHSM for key management.

Answer

Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in IAM Key Management Service (IAM KMS) for key management.

Answer

Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Question 27

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.Which factors could cause the health check failures? (Select THREE.)

Accepted Answer

The target instance's security group does not allow traffic from the NLB.

Accepted Answer

The NLB's security group is not attached to the target instance.

Accepted Answer

The target instance's subnet network ACL does not allow traffic from the NLB.

Answer

The target instance's security group is not attached to the NLB.

Answer

The target instance's security group is not using IP addresses to allow traffic from the NLB.

Answer

The target network ACL is not attached to the NLB.

Question 28

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

Accepted Answer

Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.

Accepted Answer

Place the DB instance in a private subnet.

Accepted Answer

Configure the Auto Scaling group to place the EC2 instances in a private subnet.

Answer

Place the DB instance in a public subnet.

Answer

Configure the Auto Scaling group to place the EC2 instances in a public subnet.

Answer

Deploy the ALB in a private subnet.

Question 29

A company has two teams, and each team needs to access its respective Amazon S3 buckets. The company anticipates adding more teams that also will have their own S3 buckets. When the company adds these teams, team members will need the ability to be assigned to multiple teams. Team members also will need the ability to change teams. Additional S3 buckets can be created or deleted.An IAM administrator must design a solution to accomplish these goals. The solution also must be scalable and must require the least possible operational overhead.Which solution meets these requirements?

Accepted Answer

Add users to groups that represent the teams. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding group.

Answer

Create an IAM role for each team. Create a policy for each team that allows the team to access its respective S3 buckets only. Attach the policy to the corresponding role.

Answer

Create IAM roles that are labeled with an access tag value of a team. Create one policy that allows dynamic access to S3 buckets with the same tag. Attach the policy to the IAM roles. Tag the S3 buckets accordingly.

Answer

Implement a role-based access control (RBAC) authorization model. Create the corresponding policies, and attach them to the IAM users.

Question 30

A company wants to monitor the deletion of customer managed CMKs A security engineer must create an alarm that will notify the company before a CMK is deleted The security engineer has configured the integration of IAM CloudTrail with Amazon CloudWatchWhat should the security engineer do next to meet this requirement?

Accepted Answer

Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Answer

Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443

Answer

Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule 200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443

Answer

Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allow traffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443

Question 31

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distributionWhich combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

Accepted Answer

Select 'Restrict Bucket Access' in the origin settings of the CloudFront distribution

Accepted Answer

Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket

Answer

Create an origin access identity (OAI) for the S3 origin

Answer

Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests

Answer

Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.

Question 32

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts. In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure whyWhat must the security team do to enable Detective?

Accepted Answer

Ensure that the principal that launches Detective has the organizations ListAccounts permission

Answer

Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.

Answer

Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization

Answer

Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours

Question 33

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of timeWhich combination of steps should the application team take to deploy this architecture? (Select THREE.)

Accepted Answer

Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone

Accepted Answer

Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections

Accepted Answer

Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure

Answer

Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure

Answer

Send an email message to the domain administrators to request vacation of the domains for ACM

Answer

Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections

Question 34

A security engineer needs to create an IAM Key Management Service B) Amazon SCS-C02 image Question 114 7822 09162024005941000000

C)

Accepted Answer

Option A

Answer

Option B

Answer

Option C

Question 35

A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs.Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

Accepted Answer

Amazon Kinesis

Accepted Answer

Amazon Elasticsearch

Answer

Amazon Athena

Answer

Amazon SQS

Answer

Amazon EMR

Question 36

Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.How will the security engineer be able to comply with these requirements?

Accepted Answer

Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Answer

Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.

Answer

Configure the DB instances inbound network ACL to deny traffic from the security group ID of the NAT gateway.

Answer

Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Question 37

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)

Accepted Answer

The CMK is used in the attempt does not exist.

Accepted Answer

The CMK is used in the attempt is not enabled.

Answer

The CMK is used in the attempt needs to be rotated.

Answer

The CMK is used in the attempt is using the CMKs key ID instead of the CMK ARN.

Answer

The CMK is used in the attempt is using an alias.

Question 38

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

Accepted Answer

Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).

Accepted Answer

Add a CloudFront geo restriction deny list of countries where the company lacks a license.

Answer

Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.

Answer

Update the S3 bucket policy with a deny list of countries where the company lacks a license.

Answer

Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Question 39

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athen a. However, the company does not want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?

Accepted Answer

Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.

Answer

Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.

Answer

Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.

Answer

Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.

Question 40

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

Accepted Answer

Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

Accepted Answer

Create an EC2 key pair. Associate the key pair with the EC2 instance.

Accepted Answer

Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Answer

Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

Answer

Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.

Answer

Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

Amazon SCS-C02 Practice Test 3

Amazon SCS-C02 Practice Tests