ExamGecko
Home / Amazon / SCS-C02 / List of questions
Ask Question

Amazon SCS-C02 Practice Test - Questions Answers, Page 10

Add to Whishlist

List of questions

Question 91

Report Export Collapse

A company wants to ensure that its IAM resources can be launched only in the us-east-1 and us-west-2 Regions.

What is the MOST operationally efficient solution that will prevent developers from launching Amazon EC2 instances in other Regions?

Become a Premium Member for full access
  Unlock Premium Member

Question 92

Report Export Collapse

A company is implementing a new application in a new IAM account. A VPC and subnets have been created for the application. The application has been peered to an existing VPC in another account in the same IAM Region for database access. Amazon EC2 instances will regularly be created and terminated in the application VPC, but only some of them will need access to the databases in the peered VPC over TCP port 1521. A security engineer must ensure that only the EC2 instances that need access to the databases can access them through the network.

How can the security engineer implement this solution?

Become a Premium Member for full access
  Unlock Premium Member

Question 93

Report Export Collapse

A company stores sensitive documents in Amazon S3 by using server-side encryption with an IAM Key Management Service (IAM KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.

Which statement should the company add to the key policy to meet this requirement?

A)

Amazon SCS-C02 image Question 93 7801 09162024005941000000

B)

Amazon SCS-C02 image Question 93 7801 09162024005941000000

Become a Premium Member for full access
  Unlock Premium Member

Question 94

Report Export Collapse

A security engineer is defining the controls required to protect the IAM account root user credentials in an IAM Organizations hierarchy. The controls should also limit the impact in case these credentials have been compromised.

Which combination of controls should the security engineer propose? (Select THREE.)

A)

Amazon SCS-C02 image Question 94 7802 09162024005941000000

B)

Amazon SCS-C02 image Question 94 7802 09162024005941000000

C) Enable multi-factor authentication (MFA) for the root user.

D) Set a strong randomized password and store it in a secure location.

E) Create an access key ID and secret access key, and store them in a secure location.

F) Apply the following permissions boundary to the toot user:

Amazon SCS-C02 image Question 94 7802 09162024005941000000

Become a Premium Member for full access
  Unlock Premium Member

Question 95

Report Export Collapse

A company is using IAM Organizations. The company wants to restrict IAM usage to the eu-west-1 Region for all accounts under an OU that is named 'development.' The solution must persist restrictions to existing and new IAM accounts under the development OU.

Amazon SCS-C02 image Question 95 7803 09162024005941000000

Amazon SCS-C02 image Question 95 7803 09162024005941000000

Amazon SCS-C02 image Question 95 7803 09162024005941000000

Amazon SCS-C02 image Question 95 7803 09162024005941000000

Become a Premium Member for full access
  Unlock Premium Member

Question 96

Report Export Collapse

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on IAM.

Which combination of IAM services and features will provide protection in this scenario? (Select THREE).

Become a Premium Member for full access
  Unlock Premium Member

Question 97

Report Export Collapse

A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAM Regions in case it is ever turned off.

What is the MOST efficient way to implement this solution?

Become a Premium Member for full access
  Unlock Premium Member

Question 98

Report Export Collapse

A company hosts an application on Amazon EC2 that is subject to specific rules for regulatory compliance. One rule states that traffic to and from the workload must be inspected for network-level attacks. This involves inspecting the whole packet.

To comply with this regulatory rule, a security engineer must install intrusion detection software on a c5n.4xlarge EC2 instance. The engineer must then configure the software to monitor traffic to and from the application instances.

What should the security engineer do next?

Become a Premium Member for full access
  Unlock Premium Member

Question 99

Report Export Collapse

A company deploys a set of standard IAM roles in AWS accounts. The IAM roles are based on job functions within the company. To balance operational efficiency and security, a security engineer implemented AWS Organizations SCPs to restrict access to critical security services in all company accounts.

All of the company's accounts and OUs within AWS Organizations have a default FullAWSAccess SCP that is attached. The security engineer needs to ensure that no one can disable Amazon GuardDuty and AWS Security Hub. The security engineer also must not override other permissions that are granted by IAM policies that are defined in the accounts.

Which SCP should the security engineer attach to the root of the organization to meet these requirements?

A)

Amazon SCS-C02 image Question 99 7807 09162024005941000000

B)

Amazon SCS-C02 image Question 99 7807 09162024005941000000

C)

Amazon SCS-C02 image Question 99 7807 09162024005941000000

D)

Amazon SCS-C02 image Question 99 7807 09162024005941000000

Become a Premium Member for full access
  Unlock Premium Member

Question 100

Report Export Collapse

A company has developed a new Amazon RDS database application. The company must secure the ROS database credentials for encryption in transit and encryption at rest. The company also must rotate the credentials automatically on a regular basis.

Which solution meets these requirements?

Become a Premium Member for full access
  Unlock Premium Member
Total 372 questions
Go to page: of 38
Search

Related questions