ExamGecko
Search Search Login
Home Home / Amazon / SCS-C02

Amazon SCS-C02 Practice Test - Questions Answers, Page 12

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a user rst attempts to encrypt using the CMK Which solution should the c0mpany's security specialist recommend'?
A company Is planning to use Amazon Elastic File System (Amazon EFS) with its on-premises servers. The company has an existing IAM Direct Connect connection established between its on-premises data center and an IAM Region Security policy states that the company's on-premises firewall should only have specific IP addresses added to the allow list and not a CIDR range. The company also wants to restrict access so that only certain data center-based servers have access to Amazon EFS How should a security engineer implement this solution''
A company is implementing new compliance requirements to meet customer needs. According to the new requirements the company must not use any Amazon RDS DB instances or DB clusters that lack encryption of the underlying storage. The company needs a solution that will generate an email alert when an unencrypted DB instance or DB cluster is created. The solution also must terminate the unencrypted DB instance or DB cluster. Which solution will meet these requirements in the MOST operationally efficient manner?
A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key. When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected. A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account. Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A. A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort. Which solution should the security engineer recommend?
A Development team has built an experimental environment to test a simple stale web application It has built an isolated VPC with a private and a public subnet. The public subnet holds only an Application Load Balancer a NAT gateway, and an internet gateway. The private subnet holds ail of the Amazon EC2 instances There are 3 different types of servers Each server type has its own Security Group that limits access lo only required connectivity. The Security Groups nave both inbound and outbound rules applied Each subnet has both inbound and outbound network ACls applied to limit access to only required connectivity Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Select THREE.)
A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days. Which solution meets these criteria?
An international company has established a new business entity in South Kore a. The company also has established a new AWS account to contain the workload for the South Korean region. The company has set up the workload in the new account in the ap-northeast-2 Region. The workload consists of three Auto Scaling groups of Amazon EC2 instances. All workloads that operate in this Region must keep system logs and application logs for 7 years. A security engineer must implement a solution to ensure that no logging data is lost for each instance during scaling activities. The solution also must keep the logs for only the required period of 7 years. Which combination of steps should the security engineer take to meet these requirements? (Choose three.)
A company is operating a website using Amazon CloudFornt. CloudFront servers some content from Amazon S3 and other from web servers running EC2 instances behind an Application. Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses IAM Certificate Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit. Which combination of steps should the company take to meet this requirement? (Select THREE.)
A company is hosting multiple applications within a single VPC in its IAM account. The applications are running behind an Application Load Balancer that is associated with an IAM WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet. A security engineer needs to deny access from the offending IP addresses. Which solution will meet these requirements?

Question 111

Report
Export
Collapse

A company is hosting a static website on Amazon S3 The company has configured an Amazon CloudFront distribution to serve the website contents The company has associated an IAM WAF web ACL with the CloudFront distribution. The web ACL ensures that requests originate from the United States to address compliance restrictions.

THE company is worried that the S3 URL might still be accessible directly and that requests can bypass the CloudFront distribution

Which combination of steps should the company take to remove direct access to the S3 URL? (Select TWO. )

A.
Select 'Restrict Bucket Access' in the origin settings of the CloudFront distribution
A.
Select 'Restrict Bucket Access' in the origin settings of the CloudFront distribution
Answers
B.
Create an origin access identity (OAI) for the S3 origin
B.
Create an origin access identity (OAI) for the S3 origin
Answers
C.
Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
C.
Update the S3 bucket policy to allow s3 GetObject with a condition that the IAM Referer key matches the secret value Deny all other requests
Answers
D.
Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
D.
Configure the S3 bucket poky so that only the origin access identity (OAI) has read permission for objects in the bucket
Answers
E.
Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.
E.
Add an origin custom header that has the name Referer to the CloudFront distribution Give the header a secret value.
Answers
Suggested answer: A, D

Question 112

Report
Export
Collapse

A company's security team is building a solution for logging and visualization. The solution will assist the company with the large variety and velocity of data that it receives from IAM across multiple accounts. The security team has enabled IAM CloudTrail and VPC Flow Logs in all of its accounts. In addition, the company has an organization in IAM Organizations and has an IAM Security Hub master account.

The security team wants to use Amazon Detective However the security team cannot enable Detective and is unsure why

What must the security team do to enable Detective?

A.
Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
A.
Enable Amazon Macie so that Secunty H jb will allow Detective to process findings from Macie.
Answers
B.
Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
B.
Disable IAM Key Management Service (IAM KMS) encryption on CtoudTrail logs in every member account of the organization
Answers
C.
Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
C.
Enable Amazon GuardDuty on all member accounts Try to enable Detective in 48 hours
Answers
D.
Ensure that the principal that launches Detective has the organizations ListAccounts permission
D.
Ensure that the principal that launches Detective has the organizations ListAccounts permission
Answers
Suggested answer: D

Question 113

Report
Export
Collapse

An application team wants to use IAM Certificate Manager (ACM) to request public certificates to ensure that data is secured in transit. The domains that are being used are not currently hosted on Amazon Route 53

The application team wants to use an IAM managed distribution and caching solution to optimize requests to its systems and provide better points of presence to customers The distribution solution will use a primary domain name that is customized The distribution solution also will use several alternative domain names The certificates must renew automatically over an indefinite period of time

Which combination of steps should the application team take to deploy this architecture? (Select THREE.)

A.
Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
A.
Request a certificate (torn ACM in the us-west-2 Region Add the domain names that the certificate will secure
Answers
B.
Send an email message to the domain administrators to request vacation of the domains for ACM
B.
Send an email message to the domain administrators to request vacation of the domains for ACM
Answers
C.
Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
C.
Request validation of the domains for ACM through DNS Insert CNAME records into each domain's DNS zone
Answers
D.
Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
D.
Create an Application Load Balancer for me caching solution Select the newly requested certificate from ACM to be used for secure connections
Answers
E.
Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
E.
Create an Amazon CloudFront distribution for the caching solution Enter the main CNAME record as the Origin Name Enter the subdomain names or alternate names in the Alternate Domain Names Distribution Settings Select the newly requested certificate from ACM to be used for secure connections
Answers
F.
Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure
F.
Request a certificate from ACM in the us-east-1 Region Add the domain names that the certificate wil secure
Answers
Suggested answer: C, D, F

Question 114

Report
Export
Collapse

A security engineer needs to create an IAM Key Management Service <IAM KMS) key that will De used to encrypt all data stored in a company's Amazon S3 Buckets in the us-west-1 Region. The key will use server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company's account.

Which statement in the KMS key policy will meet these requirements?

A)

B)

C)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
Suggested answer: A

Question 115

Report
Export
Collapse

A business requires a forensic logging solution for hundreds of Docker-based apps running on Amazon EC2. The solution must analyze logs in real time, provide message replay, and persist logs.

Which Amazon Web Offerings (IAM) services should be employed to satisfy these requirements? (Select two.)

A.
Amazon Athena
A.
Amazon Athena
Answers
B.
Amazon Kinesis
B.
Amazon Kinesis
Answers
C.
Amazon SQS
C.
Amazon SQS
Answers
D.
Amazon Elasticsearch
D.
Amazon Elasticsearch
Answers
E.
Amazon EMR
E.
Amazon EMR
Answers
Suggested answer: B, D

Question 116

Report
Export
Collapse

Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.

Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC. These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.

The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.

How will the security engineer be able to comply with these requirements?

A.
Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
A.
Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
Answers
B.
Configure the DB instances inbound network ACL to deny traffic from the security group ID of the NAT gateway.
B.
Configure the DB instances inbound network ACL to deny traffic from the security group ID of the NAT gateway.
Answers
C.
Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
C.
Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
Answers
D.
Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
D.
Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
Answers
Suggested answer: C

Explanation:

Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

Question 117

Report
Export
Collapse

A development team is attempting to encrypt and decode a secure string parameter from the IAM Systems Manager Parameter Store using an IAM Key Management Service (IAM KMS) CMK. However, each attempt results in an error message being sent to the development team.

Which CMK-related problems possibly account for the error? (Select two.)

A.
The CMK is used in the attempt does not exist.
A.
The CMK is used in the attempt does not exist.
Answers
B.
The CMK is used in the attempt needs to be rotated.
B.
The CMK is used in the attempt needs to be rotated.
Answers
C.
The CMK is used in the attempt is using the CMKs key ID instead of the CMK ARN.
C.
The CMK is used in the attempt is using the CMKs key ID instead of the CMK ARN.
Answers
D.
The CMK is used in the attempt is not enabled.
D.
The CMK is used in the attempt is not enabled.
Answers
E.
The CMK is used in the attempt is using an alias.
E.
The CMK is used in the attempt is using an alias.
Answers
Suggested answer: A, D

Explanation:

https://docs.IAM.amazon.com/kms/latest/developerguide/services-parameter-store.html#parameter-store-cmk-fail

Question 118

Report
Export
Collapse

A business stores website images in an Amazon S3 bucket. The firm serves the photos to end users through Amazon CloudFront. The firm learned lately that the photographs are being accessible from nations in which it does not have a distribution license.

Which steps should the business take to safeguard the photographs and restrict their distribution? (Select two.)

A.
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
A.
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
Answers
B.
Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
B.
Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
Answers
C.
Add a CloudFront geo restriction deny list of countries where the company lacks a license.
C.
Add a CloudFront geo restriction deny list of countries where the company lacks a license.
Answers
D.
Update the S3 bucket policy with a deny list of countries where the company lacks a license.
D.
Update the S3 bucket policy with a deny list of countries where the company lacks a license.
Answers
E.
Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
E.
Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
Answers
Suggested answer: A, C

Explanation:

For Enable Geo-Restriction, choose Yes. For Restriction Type, choose Whitelist to allow access to certain countries, or choose Blacklist to block access from certain countries. https://IAM.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/

Question 119

Report
Export
Collapse

A company has multiple departments. Each department has its own IAM account. All these accounts belong to the same organization in IAM Organizations.

A large .csv file is stored in an Amazon S3 bucket in the sales department's IAM account. The company wants to allow users from the other accounts to access the .csv file's content through the combination of IAM Glue and Amazon Athen a. However, the company does not want to allow users from the other accounts to access other files in the same folder.

Which solution will meet these requirements?

A.
Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.
A.
Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the .csv We.
Answers
B.
Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.
B.
Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Select as the source of the IAM Glue database.
Answers
C.
Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.
C.
Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3 object access to the .csv file.
Answers
D.
Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.
D.
Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies the organization as the principal.
Answers
Suggested answer: A

Question 120

Report
Export
Collapse

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

A.
Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
A.
Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
Answers
B.
Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
B.
Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
Answers
C.
Create an EC2 key pair. Associate the key pair with the EC2 instance.
C.
Create an EC2 key pair. Associate the key pair with the EC2 instance.
Answers
D.
Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
D.
Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
Answers
E.
Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
E.
Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
Answers
F.
Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
F.
Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
Answers
Suggested answer: B, C, F
Total 327 questions
Go to page: of 33
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms