Amazon AWS Certified Security - Specialty - SCS-C02 FREE EXAM DUMPS QUESTIONS & ANSWERS]

Question 1

A company uses AWS Organizations. The company wants to implement short-term cre-dentials for third-party AWS accounts to use to access accounts within the com-pany's organization. Access is for the AWS Management Console and third-party software-as-a-service (SaaS) applications. Trust must be enhanced to prevent two external accounts from using the same credentials. The solution must require the least possible operational effort.
Which solution will meet these requirements?

A. Implement AWS IAM Identity Center (AWS Single Sign-On), and use an identi-ty source of choice. Grant access to users and groups from other accounts by using permission sets that are assigned by account. B. Create a unique IAM role for each external account. Create a trust policy that includes a condition that uses the sts:Externalld condition key. C. Create a unique IAM role for each external account. Create a trust policy. Use AWS Secrets Manager to create a random external key. D. Use a bearer token authentication with OAuth or SAML to manage and share a central Amazon Cognito user pool across multiple Amazon API Gateway APIs.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 2

A company uses AWS Organizations to manage an organization that consists of three workload OUs Producbon Development and Testing. The company uses AWS CloudFormation templates to define and deploy workload infrastructure in AWS accounts that are associated with the OUs Different SCPs are attached to each workload OU.
The company successfully deployed a CloudFormation stack update to workloads in the Development OU and the Testing OU. When the company uses the same CloudFormation template to deploy the stack update in an account in the Production OU the update fails The error message reports insufficient 1AM permissions.
What is the FIRST step that a security engineer should take to troubleshoot this issue?

A. Make all the SCPs that are attached to the Production OU the same as the SCPs that are attached to the Testing OU. B. Review the AWS CloudTrail logs in the account in the Production OU Search for any failed API calls from CloudFormation during the deployment attempt. C. Remove all the SCPs that are attached to the Production OU Rerun the CloudFormation stack update to determine if the SCPs were preventing the CloudFormation API calls. D. Confirm that the role used by CloudFormation has sufficient permissions to create update and delete the resources that are referenced in the CloudFormation template.

Discussion 0

Correct Answer: D Vote an answer

Question 3

A company has an organization with SCPs in AWS Organizations. The root SCP for the organization is as follows:

The company's developers are members of a group that has an IAM policy that allows access to Amazon Simple Email Service (Amazon SES) by allowing ses:* actions. The account is a child to an OU that has an SCP that allows Amazon SES. The developers are receiving a not-authorized error when they try to access Amazon SES through the AWS Management Console.
Which change must a security engineer implement so that the developers can access Amazon SES?

A. Remove Amazon SES from the root SCP. B. Add a resource policy that allows "Principal": {"AWS": "arn:aws:iam::account-number:group/Dev"}. C. Remove the AWS Control Tower control (guardrail) that restricts access to Amazon SES. D. Add a resource policy that allows each member of the group to access Amazon SES.

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 4

Amazon CtoudWatch Logs agent is successfully delivering logs lo the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.
What steps are necessary to identify the cause of this phenomenon? (Select TWO.)

A. Use AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent. B. Create a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops. C. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming. D. Configure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams. E. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified

Discussion 0

Correct Answer: C,E Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 5

A healthcare company has multiple AWS accounts in an organization in AWS Organizations. The company uses Amazon S3 buckets to store sensitive information of patients. The company needs to restrict users from deleting any S3 bucket across the organization.
What is the MOST scalable solution that meets these requirements?

A. SCPs B. S3 bucket policies C. Permissions boundaries in AWS Identity and Access Management (1AM) D. Tag policies

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 6

A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption block IP addresses from outside the United States (US), and take advantage of managed services whenever possible.
Which solution will meet these requirements?

A. Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53. B. Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly. C. Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53. D. Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS.accordingly

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 7

A company has an application that needs to read objects from an Amazon S3 bucket. The company configures an IAM policy and attaches the policy to an IAM role that the application uses. When the application tries to read objects from the S3 bucket, the application receives AccessDenied errors. A security engineer must resolve this problem without decreasing the security of the S3 bucket or the application.

A. Attach a resource policy to the S3 bucket to grant read access to the role. B. Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly. C. Ensure that the S3 Block Public Access feature is disabled on the S3 bucket. Review AWS CloudTrail logs to validate that the application is assuming the role correctly. D. Launch a new deployment of the application in a different AWS Region. Attach the role to the application.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 8

A company has a requirement that no Amazon EC2 security group can allow SSH access from the CIDR block 0.0.0.070. The company wants to monitor compliance with this requirement at all times and wants to receive a near-real-time notification if any security group is noncompliant.
A security engineer has configured AWS Config and will use the restricted-ssh managed rule to monitor the security groups.
What should the security engineer do next to meet these requirements?

A. Configure AWS Config to push all its compliance notifications to Amazon CloudWatch Logs Configure a CloudWatch Logs metric filter on the AWS Config log group to look for a compliance notification change on the restricted-ssh managed rule. Create an Amazon CloudWatch alarm on the metric filter to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state. B. Configure AWS Config to send its configuration snapshots to an Amazon S3 bucket. Create an AWS Lambda function to run on a PutEvent to the S3 bucket. Configure the Lambda function to parse the snapshot for a compliance change to the restricled-ssh managed rule. Configure the Lambda function to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if a change is discovered. C. Configure an Amazon CloudWatch alarm on (he CloudWatch metric for the restricted-ssh managed rule. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic if the alarm is in the ALARM state. D. Configure an Amazon EventBridge event rule that is invoked by a compliance change event from AWS Config for the restricted-ssh managed rule. Configure the event rule to target an Amazon Simple Notification Service (Amazon SNS) topic that will provide a notification.

Discussion 0

Correct Answer: D Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 9

A security engineer is creating an AWS Lambda function. The Lambda function needs to use a role that is named LambdaAuditRole to assume a role that is named AcmeAuditFactoryRole in a different AWS account.
When the code is processed, the following error message appears: "An error oc-curred (AccessDenied) when calling the AssumeRole operation." Which combination of steps should the security engineer take to resolve this er-ror? (Select TWO.)

A. Ensure that LambdaAuditRole has the AWSLambdaBasicExecutionRole managed policy attached. B. Ensure that the trust policy for AcmeAuditFactoryRole allows the sts:AssumeRole action from LambdaAuditRole. C. Ensure that the sts:AssumeRole API call is being issued to the us-east-I Region endpoint. D. Ensure that the trust policy for LambdaAuditRole allows the sts:AssumeRole action from the lambda.amazonaws.com service. E. Ensure that LambdaAuditRole has the sts:AssumeRole permission for Ac-meAuditFactoryRole.

Discussion 0

Correct Answer: B,E Vote an answer

Question 10

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs.
How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

A. Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage. B. Implement a rate-based rule with AWS WAF. C. Use AWS Shield to limit the originating traffic hit rate. D. Implement the GeoLocation feature in Amazon Route 53.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).

Question 11

A company needs to implement data lifecycle management for Amazon RDS snapshots. The company will use AWS Backup to manage the snapshots.
The company must retain RDS automated snapshots for 5 years and will use Amazon S3 for long-term archival storage.
Which solution will meet these requirements?

A. Enable versioning on the S3 bucket that AWS Backup uses for the RDS snapshots. Configure a 5-year retention period. B. Create an S3 Lifecycle policy. Include a 5-year retention period for the S3 bucket that AWS Backup uses for the RDS snapshots. C. Create a backup plan in AWS Backup. Configure a 5-year retention period. D. Use AWS Backup to apply a 5-year retention tag to the RDS snapshots.

Discussion 0

Correct Answer: C Vote an answer

Question 12

A company is processing data on AWS. The data is transmitted by millions of connected devices and is stored in Amazon RDS and Amazon DocumentDB (with MongoDB compatibility). The company uses AWS Backup to back up the data.
The company needs a solution to preserve individual backup recovery points Ail related data and metadata, such as character encodings and datatypes, must remain unchanged and protected from deletion. Retention times for the data will vary from several days to several years.
Which solution will meet these requirements?

A. Configure an AWS Backup Vault Lock in compliance mode. B. Configure an AWS Backup Vault Lock in governance mode. C. Export the backup data to Amazon S3 Create S3 Object Lock legal holds for the recovery points. D. Use AWS Backup to create legal holds for the recovery points.

Discussion 0

Correct Answer: A Vote an answer

Question 13

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).
What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

A. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used Create a metric filter and an Amazon CloudWatch dashboard Track the metric in the dashboard. B. Create an Amazon CloudWatch dashboard Verify that the EC2MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard. C. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard. D. Create a security group that blocks access to HTTP for the IMDSv1 endpoint Attach the security group to all EC2 instances.

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).