Description
Genuine Exam Dumps For SCS-C02:
Prepare Yourself Expertly for SCS-C02 Exam:
Our team of highly skilled and experienced professionals is dedicated to delivering up-to-date and precise study materials in PDF format to our customers. We deeply value both your time and financial investment, and we have spared no effort to provide you with the highest quality work. We ensure that our students consistently achieve a score of more than 95% in the Amazon SCS-C02 exam. You provide only authentic and reliable study material. Our team of professionals is always working very keenly to keep the material updated. Hence, they communicate to the students quickly if there is any change in the SCS-C02 dumps file. The Amazon SCS-C02 exam question answers and SCS-C02 dumps we offer are as genuine as studying the actual exam content.
24/7 Friendly Approach:
You can reach out to our agents at any time for guidance; we are available 24/7. Our agent will provide you information you need; you can ask them any questions you have. We are here to provide you with a complete study material file you need to pass your SCS-C02 exam with extraordinary marks.
Quality Exam Dumps for Amazon SCS-C02:
Pass4surexams provide trusted study material. If you want to meet a sweeping success in your exam you must sign up for the complete preparation at Pass4surexams and we will provide you with such genuine material that will help you succeed with distinction. Our experts work tirelessly for our customers, ensuring a seamless journey to passing the Amazon SCS-C02 exam on the first attempt. We have already helped a lot of students to ace IT certification exams with our genuine SCS-C02 Exam Question Answers. Don’t wait and join us today to collect your favorite certification exam study material and get your dream job quickly.
90 Days Free Updates for Amazon SCS-C02 Exam Question Answers and Dumps:
Enroll with confidence at Pass4surexams, and not only will you access our comprehensive Amazon SCS-C02 exam question answers and dumps, but you will also benefit from a remarkable offer – 90 days of free updates. In the dynamic landscape of certification exams, our commitment to your success doesn’t waver. If there are any changes or updates to the Amazon SCS-C02 exam content during the 90-day period, rest assured that our team will promptly notify you and provide the latest study materials, ensuring you are thoroughly prepared for success in your exam.”
Amazon SCS-C02 Real Exam Questions:
Quality is the heart of our service that’s why we offer our students real exam questions with 100% passing assurance in the first attempt. Our SCS-C02 dumps PDF have been carved by the experienced experts exactly on the model of real exam question answers in which you are going to appear to get your certification.
Amazon SCS-C02 Sample Questions
Question # 1
A company has AWS accounts in an organization in AWS Organizations. The organizationincludes a dedicated security account.All AWS account activity across all member accounts must be logged and reported to thededicated security account. The company must retain all the activity logs in a securestorage location within the dedicated security account for 2 years. No changes or deletions of the logs are allowed.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select TWO.)
A. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization’s management account to write to the S3 bucket.
B. In the dedicated security account, create an Amazon S3 bucket. Configure S3 ObjectLock in compliance mode and a retention period of 2 years on the S3 bucket. Set thebucket policy to allow the organization’s member accounts to write to the S3 bucket.
C. In the dedicated security account, create an Amazon S3 bucket that has an S3 Lifecycleconfiguration that expires objects after 2 years. Set the bucket policy to allow theorganization’s member accounts to write to the S3 bucket.
D. Create an AWS Cloud Trail trail for the organization. Configure logs to be delivered tothe logging Amazon S3 bucket in the dedicated security account.
E. Turn on AWS CloudTrail in each account. Configure logs to be delivered to an AmazonS3 bucket that is created in the organization’s management account. Forward the logs tothe S3 bucket in the dedicated security account by using AWS Lambda and AmazonKinesis Data Firehose.
Explanation:The correct answer is B and D. In the dedicated security account, create an Amazon S3bucket. Configure S3 Object Lock in compliance mode and a retention period of 2 years onthe S3 bucket. Set the bucket policy to allow the organization’s member accounts to writeto the S3 bucket. Create an AWS CloudTrail trail for the organization. Configure logs to bedelivered to the logging Amazon S3 bucket in the dedicated security account.According to the AWS documentation, AWS CloudTrail is a service that enablesgovernance, compliance, operational auditing, and risk auditing of your AWS account. WithCloudTrail, you can log, continuously monitor, and retain account activity related to actionsacross your AWS infrastructure. CloudTrail provides event history of your AWS accountactivity, including actions taken through the AWS Management Console, AWS SDKs,command line tools, and other AWS services.To use CloudTrail with multiple AWS accounts and regions, you need to enable AWSOrganizations with all features enabled. This allows you to centrally manage your accountsand apply policies across your organization. You can also use CloudTrail as a serviceprincipal for AWS Organizations, which lets you create an organization trail that applies toall accounts in your organization. An organization trail logs events for all AWS Regions anddelivers the log files to an S3 bucket that you specify. To create an organization trail, you need to use an administrator account, such as theorganization’s management account or a delegated administrator account. You can thenconfigure the trail to deliver logs to an S3 bucket in the dedicated security account. This willensure that all account activity across all member accounts and regions is logged andreported to the security account.According to the AWS documentation, Amazon S3 is an object storage service that offersscalability, data availability, security, and performance. You can use S3 to store andretrieve any amount of data from anywhere on the web. You can also use S3 features suchas lifecycle management, encryption, versioning, and replication to optimize your storage.To use S3 with CloudTrail logs, you need to create an S3 bucket in the dedicated securityaccount that will store the logs from the organization trail. You can then configure S3Object Lock on the bucket to prevent objects from being deleted or overwritten for a fixedamount of time or indefinitely. You can also enable compliance mode on the bucket, whichprevents any user, including the root user in your account, from deleting or modifying alocked object until it reaches its retention date.To set a retention period of 2 years on the S3 bucket, you need to create a default retentionconfiguration for the bucket that specifies a retention mode (either governance orcompliance) and a retention period (either a number of days or a date). You can then setthe bucket policy to allow the organization’s member accounts to write to the S3 bucket.This will ensure that all logs are retained in a secure storage location within the securityaccount for 2 years and no changes or deletions are allowed.Option A is incorrect because setting the bucket policy to allow the organization’smanagement account to write to the S3 bucket is not sufficient, as it will not grant access tothe other member accounts in the organization.Option C is incorrect because using an S3 Lifecycle configuration that expires objects after2 years is not secure, as it will allow users to delete or modify objects before they expire.Option E is incorrect because using Lambda and Kinesis Data Firehose to forward logsfrom one S3 bucket to another is not necessary, as CloudTrail can directly deliver logs toan S3 bucket in another account. It also introduces additional operational overhead andcomplexity.
Question # 2
A company wants to monitor the deletion of customer managed CMKs A security engineermust create an alarm that will notify the company before a CMK is deleted The securityengineer has configured the integration of IAM CloudTrail with Amazon CloudWatchWhat should the security engineer do next to meet this requirement?
A. Use inbound rule 100 to allow traffic on TCP port 443 Use inbound rule 200 to denytraffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port 443
B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allowtraffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port443
C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535 Use inbound rule200 to deny traffic on TCP port 3306 Use outbound rule 100 to allow traffic on TCP port443
D. Use inbound rule 100 to deny traffic on TCP port 3306 Use inbound rule 200 to allowtraffic on TCP port 443 Use outbound rule 100 to allow traffic on TCP port 443
Question # 3
A company has implemented IAM WAF and Amazon CloudFront for an application. Theapplication runs on Amazon EC2 instances that are part of an Auto Scaling group. TheAuto Scaling group is behind an Application Load Balancer (ALB).The IAM WAF web ACL uses an IAM Managed Rules rule group and is associated with theCloudFront distribution. CloudFront receives the request from IAM WAF and then uses theALB as the distribution’s origin.During a security review, a security engineer discovers that the infrastructure is susceptibleto a large, layer 7 DDoS attack.How can the security engineer improve the security at the edge of the solution to defendagainst this type of attack?
A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an IAMLambda function that imposes a rate limit on CloudFront viewer requests. Block the requestif the rate limit is exceeded.
B. Configure the IAM WAF web ACL so that the web ACL has more capacity units toprocess all IAM WAF rules faster.
C. Configure IAM WAF with a rate-based rule that imposes a rate limit that automaticallyblocks requests when the rate limit is exceeded.
D. Configure the CloudFront distribution to use IAM WAF as its origin instead of the ALB.
Explanation: To improve the security at the edge of the solution to defend against a large, layer 7 DDoSattack, the security engineer should do the following:Configure AWS WAF with a rate-based rule that imposes a rate limit thatautomatically blocks requests when the rate limit is exceeded. This allows thesecurity engineer to use a rule that tracks the number of requests from a single IPaddress and blocks subsequent requests if they exceed a specified thresholdwithin a specified time period.
Question # 4
An IT department currently has a Java web application deployed on Apache Tomcatrunning on Amazon EC2 instances. All traffic to the EC2 instances is sent through aninternet-facing Application Load Balancer (ALB) The Security team has noticed during thepast two days thousands of unusual read requests coming from hundreds of IP addresses.This is causing the Tomcat server to run out of threads and reject new connectionsWhich the SIMPLEST change that would address this server issue?
A. Create an Amazon CloudFront distribution and configure the ALB as the origin
B. Block the malicious IPs with a network access list (NACL).
C. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
D. Map the application domain name to use Route 53
Explanation: this is the simplest change that can address the server issue. CloudFront is aservice that provides a global network of edge locations that cache and deliver webcontent. Creating a CloudFront distribution and configuring the ALB as the origin can helpreduce the load on the Tomcat server by serving cached content to the end users.CloudFront can also provide protection against distributed denial-of-service (DDoS) attacksby filtering malicious traffic at the edge locations. The other options are either ineffective orcomplex for solving the server issue.
Question # 5
A company recently had a security audit in which the auditors identified multiple potentialthreats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3API calls. The threats can come from different sources and can occur at any time. Thecompany needs to implement a solution to continuously monitor its system and identify allthese incoming threats in near-real time.Which solution will meet these requirements?
A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatchLogs to manage these logs from a centralized account.
B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie tomonitor these logs from a centralized account.
C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manageAWS CloudTrail logs, VPC flow logs, and DNS logs.
Explanation:Q: Which data sources does GuardDuty analyze? GuardDuty analyzes CloudTrailmanagement event logs, CloudTrail S3 data event logs, VPC Flow Logs, DNS query logs,and Amazon EKS audit logs. GuardDuty can also scan EBS volume data for possiblemalware when GuardDuty Malware Protection is enabled and identifies suspiciousbehavior indicative of malicious software in EC2 instance or container workloads. Theservice is optimized to consume large data volumes for near real-time processing ofsecurity detections. GuardDuty gives you access to built-in detection techniques developedand optimized for the cloud, which are maintained and continuously improved upon byGuardDuty engineering.
Question # 6
A company has multiple Amazon S3 buckets encrypted with customer-managed CMKsDue to regulatory requirements the keys must be rotated every year. The company’sSecurity Engineer has enabled automatic key rotation for the CMKs; however the companywants to verity that the rotation has occurred.What should the Security Engineer do to accomplish this?
A. Filter IAM CloudTrail logs for KeyRotaton events
B. Monitor Amazon CloudWatcn Events for any IAM KMS CMK rotation events
C. Using the IAM CLI. run the IAM kms gel-key-relation-status operation with the –key-idparameter to check the CMK rotation date
D. Use Amazon Athena to query IAM CloudTrail logs saved in an S3 bucket to filterGenerate New Key events
Explanation: the aws kms get-key-rotation-status command returns a boolean value thatindicates whether automatic rotation of the customer master key (CMK) is enabled1. Thiscommand also shows the date and time when the CMK was last rotated2. The otheroptions are not valid ways to check the CMK rotation status.
Question # 7
A security engineer needs to build a solution to turn IAM CloudTrail back on in multiple IAMRegions in case it is ever turned off.What is the MOST efficient way to implement this solution?
A. Use IAM Config with a managed rule to trigger the IAM-EnableCloudTrail remediation.
B. Create an Amazon EventBridge (Amazon CloudWatch Events) event with acloudtrail.amazonIAM.com event source and a StartLogging event name to trigger an IAMLambda function to call the StartLogging API.
C. Create an Amazon CloudWatch alarm with a cloudtrail.amazonIAM.com event sourceand a StopLogging event name to trigger an IAM Lambda function to call the StartLoggingAPI.
D. Monitor IAM Trusted Advisor to ensure CloudTrail logging is enabled.
Question # 8
An application is running on an Amazon EC2 instance that has an IAM role attached. TheIAM role provides access to an AWS Key Management Service (AWS KMS) customermanaged key and an Amazon S3 bucket. The key is used to access 2 TB of sensitive datathat is stored in the S3 bucket.A security engineer discovers a potential vulnerability on the EC2 instance that could resultin the compromise of the sensitive data. Due to other critical operations, the securityengineer cannot immediately shut down the EC2 instance for vulnerability patching.What is the FASTEST way to prevent the sensitive data from being exposed?
A. Download the data from the existing S3 bucket to a new EC2 instance. Then delete thedata from the S3 bucket. Re-encrypt the data with a client-based key. Upload the data to anew S3 bucket.
B. Block access to the public range of S3 endpoint IP addresses by using a host-basedfirewall. Ensure that internet-bound traffic from the affected EC2 instance is routed throughthe host-based firewall.
C. Revoke the IAM role’s active session permissions. Update the S3 bucket policy to denyaccess to the IAM role. Remove the IAM role from the EC2 instance profile.
D. Disable the current key. Create a new KMS key that the IAM role does not have accessto, and re-encrypt all the data with the new key. Schedule the compromised key fordeletion.
Question # 9
A company uses Amazon API Gateway to present REST APIs to users. An API developerwants to analyze API access patterns without the need to parse the log files.Which combination of steps will meet these requirements with the LEAST effort? (SelectTWO.)
A. Configure access logging for the required API stage.
B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filterson the userldentity, userAgent, and sourcelPAddress fields.
C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athenaqueries to analyze API access information.
D. Use Amazon CloudWatch Logs Insights to analyze API access information.
E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.
Question # 10
A company has an application that uses dozens of Amazon DynamoDB tables to storedata. Auditors find that the tables do not comply with the company’s data protection policy.The company’s retention policy states that all data must be backed up twice each month:once at midnight on the 15th day of the month and again at midnight on the 25th day of themonth. The company must retain the backups for 3 months.Which combination of steps should a security engineer take to meet these re-quirements?(Select TWO.)
A. Use the DynamoDB on-demand backup capability to create a backup plan. Con-figure alifecycle policy to expire backups after 3 months.
B. Use AWS DataSync to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
C. Use AVVS Backup to create a backup plan. Add a backup rule that includes a retentionperiod of 3 months.
D. Set the backup frequency by using a cron schedule expression. Assign eachDynamoDB table to the backup plan.
E. Set the backup frequency by using a rate schedule expression. Assign each DynamoDBtable to the backup plan.
Question # 11
A company has multiple departments. Each department has its own IAM account. All theseaccounts belong to the same organization in IAM Organizations.A large .csv file is stored in an Amazon S3 bucket in the sales department’s IAM account.The company wants to allow users from the other accounts to access the .csv file’s contentthrough the combination of IAM Glue and Amazon Athena. However, the company doesnot want to allow users from the other accounts to access other files in the same folder.Which solution will meet these requirements?
A. Apply a user policy in the other accounts to allow IAM Glue and Athena lo access the.csv We.
B. Use S3 Select to restrict access to the .csv lie. In IAM Glue Data Catalog, use S3 Selectas the source of the IAM Glue database.
C. Define an IAM Glue Data Catalog resource policy in IAM Glue to grant cross-account S3object access to the .csv file.
D. Grant IAM Glue access to Amazon S3 in a resource-based policy that specifies theorganization as the principal.
Question # 12
A development team is attempting to encrypt and decode a secure string parameter fromthe IAM Systems Manager Parameter Store using an IAM Key Management Service (IAMKMS) CMK. However, each attempt results in an error message being sent to the development team.Which CMK-related problems possibly account for the error? (Select two.)
A. The CMK is used in the attempt does not exist.
B. The CMK is used in the attempt needs to be rotated.
C. The CMK is used in the attempt is using the CMK€™s key ID instead of the CMK ARN.
D. The CMK is used in the attempt is not enabled.
E. The CMK is used in the attempt is using an alias.
Explanation: https://docs.IAM.amazon.com/kms/latest/developerguide/servicesparameter-store.html#parameter-store-cmk-fail
Question # 13
A company in France uses Amazon Cognito with the Cognito Hosted Ul as an identitybroker for sign-in and sign-up processes. The company is marketing an application andexpects that all the application’s users will come from France.When the company launches the application the company’s security team observesfraudulent sign-ups for the application. Most of the fraudulent registrations are from usersoutside of France.The security team needs a solution to perform custom validation at sign-up Based on theresults of the validation the solution must accept or deny the registration request.Which combination of steps will meet these requirements? (Select TWO.)
A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function withthe Amazon Cognito user pool.
B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associatethe web ACL with the Amazon Cognito user pool.
C. Configure an app client for the application’s Amazon Cognito user pool. Use the appclient ID to validate the requests in the hosted Ul.
D. Update the application’s Amazon Cognito user pool to configure a geographic restrictionsetting.
E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requestson the hosted Ul.
Explanation: https://docs.aws.amazon.com/cognito/latest/developerguide/user-poollambda-post-authentication.html
Question # 14
A company’s IAM account consists of approximately 300 IAM users. Now there is amandate that an access change is required for 100 IAM users to have unlimited privilegesto S3.As a system administrator, how can you implement this effectively so that there is noneed to apply the policy at the individual user level?Please select:
A. Create a new role and add each user to the IAM role
B. Use the IAM groups and add users, based upon their role, to different groups and applythe policy to group
C. Create a policy and apply it to multiple users using a JSON script
D. Create an S3 bucket policy with unlimited access which includes each user’s IAMaccount ID
Explanation: Option A is incorrect since you don’t add a user to the IAM RoleOption C is incorrect since you don’t assign multiple users to a policyOption D is incorrect since this is not an ideal approachAn IAM group is used to collectively manage users who need the same set of permissions.By having groups, it becomes easier to manage permissions. So if you change thepermissions on the group scale, it will affect all the users in that groupFor more information on IAM Groups, just browse to the below URL:https://docs.IAM.amazon.com/IAM/latest/UserGuide/id_eroups.htmlThe correct answer is: Use the IAM groups and add users, based upon their role, todifferent groups and apply the policy to group Submit your Feedback/Queries to our Experts
Question # 15
A company needs to encrypt all of its data stored in Amazon S3. The company wants touse IAM Key Management Service (IAM KMS) to create and manage its encryption keys.The company’s security policies require the ability to Import the company’s own keymaterial for the keys, set an expiration date on the keys, and delete keys immediately, ifneeded.How should a security engineer set up IAM KMS to meet these requirements?
A. Configure IAM KMS and use a custom key store. Create a customer managed CMK withno key material Import the company’s keys and key material into the CMK
B. Configure IAM KMS and use the default Key store Create an IAM managed CMK withno key material Import the company’s key material into the CMK
C. Configure IAM KMS and use the default key store Create a customer managed CMKwith no key material import the company’s key material into the CMK
D. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with nokey material. Import the company’s key material into the CMK.
Explanation: To meet the requirements of importing their own key material, setting anexpiration date on the keys, and deleting keys immediately, the security engineer should dothe following:Configure AWS KMS and use a custom key store. This allows the securityengineer to use a key manager outside of AWS KMS that they own and manage,such as an AWS CloudHSM cluster or an external key manager.Create a customer managed CMK with no key material. Import the company’skeys and key material into the CMK. This allows the security engineer to use theirown key material for encryption and decryption operations, and to specify anexpiration date for it.
Question # 16
A company has an organization in AWS Organizations. The company wants to use AWSCloudFormation StackSets in the organization to deploy various AWS design patterns intoenvironments. These patterns consist of Amazon EC2 instances, Elastic Load Balancing(ELB) load balancers, Amazon RDS databases, and Amazon Elastic Kubernetes Service(Amazon EKS) clusters or Amazon Elastic Container Service (Amazon ECS) clusters.Currently, the company’s developers can create their own CloudFormation stacks toincrease the overall speed of delivery. A centralized CI/CD pipeline in a shared servicesAWS account deploys each CloudFormation stack.The company’s security team has already provided requirements for each service inaccordance with internal standards. If there are any resources that do not comply with theinternal standards, the security team must receive notification to take appropriate action.The security team must implement a notification solution that gives developers the ability tomaintain the same overall delivery speed that they currently have.Which solution will meet these requirements in the MOST operationally efficient way?
A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team’s email addresses to the SNS topic. Create a custom AWS Lambda functionthat will run the aws cloudformation validate-template AWS CLI command on all CloudFormation templates before the build stage in the CI/CD pipeline. Configure theCI/CD pipeline to publish a notification to the SNS topic if any issues are found.
B. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe thesecurity team’s email addresses to the SNS topic. Create custom rules in CloudFormationGuard for each resource configuration. In the CllCD pipeline, before the build stage,configure a Docker image to run the cfn-guard command on the CloudFormation template.Configure the CI/CD pipeline to publish a notification to the SNS topic if any issues arefound.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic and an Am-azonSimple Queue Service (Amazon SQS) queue. Subscribe the security team’s emailaddresses to the SNS topic. Create an Amazon S3 bucket in the shared services AWSaccount. Include an event notification to publish to the SQS queue when new objects areadded to the S3 bucket. Require the de-velopers to put their CloudFormation templates inthe S3 bucket. Launch EC2 instances that automatically scale based on the SQS queuedepth. Con-figure the EC2 instances to use CloudFormation Guard to scan the templatesand deploy the templates if there are no issues. Configure the CllCD pipe-line to publish anotification to the SNS topic if any issues are found.
D. Create a centralized CloudFormation stack set that includes a standard set of resourcesthat the developers can deploy in each AWS account. Configure each CloudFormationtemplate to meet the security requirements. For any new resources or configurations,update the CloudFormation template and send the template to the security team for review.When the review is com-pleted, add the new CloudFormation stack to the repository for thedevel-opers to use.
Answer: B
Question # 17
A company’s policy requires that all API keys be encrypted and stored separately fromsource code in a centralized security account. This security account is managed by thecompany’s security team However, an audit revealed that an API key is steed with thesource code of an IAM Lambda function m an IAM CodeCommit repository in the DevOpsaccountHow should the security learn securely store the API key?
A. Create a CodeCommit repository in the security account using IAM Key ManagementService (IAM KMS) tor encryption Require the development team to migrate the Lambdasource code to this repository
B. Store the API key in an Amazon S3 bucket in the security account using server-sideencryption with Amazon S3 managed encryption keys (SSE-S3) to encrypt the key Createa resigned URL tor the S3 key. and specify the URL m a Lambda environmental variable inthe IAM CloudFormation template Update the Lambda function code to retrieve the keyusing the URL and call the API
C. Create a secret in IAM Secrets Manager in the security account to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can retrieve the key from Secrets Manager and call the API
D. Create an encrypted environment variable for the Lambda function to store the API keyusing IAM Key Management Service (IAM KMS) tor encryption Grant access to the IAMrole used by the Lambda function so that the function can decrypt the key at runtime
Explanation: To securely store the API key, the security team should do the following:Create a secret in AWS Secrets Manager in the security account to store the APIkey using AWS Key Management Service (AWS KMS) for encryption. This allowsthe security team to encrypt and manage the API key centrally, and to configureautomatic rotation schedules for it.Grant access to the IAM role used by the Lambda function so that the function canretrieve the key from Secrets Manager and call the API. This allows the securityteam to avoid storing the API key with the source code, and to use IAM policies tocontrol access to the secret.
Question # 18
Example.com is hosted on Amazon EC2 instances behind an Application Load Balancer(ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic ofthe EC2 instance are running on each host. The company must ensure they are usingprivacy enhancing technologies for users, without losing the assurance the third-partysolution offers.What is the MOST secure way to meet these requirements?
A. Enable TLS pass through on the ALB, and handle decryption at the server using EllipticCurve Diffie-Hellman (ECDHE) cipher suites.
B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie- Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do notenable Perfect Forward Secrecy (PFS).
D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) ciphersuites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman(ECDHE) cipher suites.
Explanation:
the most secure way to meet the requirements. TLS is a protocol that provides encryptionand authentication for data in transit. ALB is a service that distributes incoming trafficacross multiple EC2 instances. HIDS is a system that monitors and detects maliciousactivity on a host. ECDHE is a type of cipher suite that supports perfect forward secrecy,which is a property that ensures that past and current TLS traffic stays secure even if thecertificate private key is leaked. By creating a listener on the ALB that does not enable PFScipher suites, and using encrypted connections to the servers using ECDHE cipher suites,you can ensure that the HIDS agents can capture the traffic of the EC2 instance withoutcompromising the privacy of the users. The other options are either less secure or lesscompatible with the third-party solution.
Question # 19
A company wants to receive an email notification about critical findings in AWS SecurityHub. The company does not have an existing architecture that supports this functionality.Which solution will meet the requirement?
A. Create an AWS Lambda function to identify critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the Lambdafunction. Subscribe an email endpoint to the SNS topic to receive published messages.
B. Create an Amazon Kinesis Data Firehose delivery stream. Integrate the delivery stream with Amazon EventBridge. Create an EventBridge rule that has a filter to detect criticalSecurity Hub findings. Configure the delivery stream to send the findings to an emailaddress.
C. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Notification Service (Amazon SNS) topic as the target of the EventBridgerule. Subscribe an email endpoint to the SNS topic to receive published messages.
D. Create an Amazon EventBridge rule to detect critical Security Hub findings. Create anAmazon Simple Email Service (Amazon SES) topic as the target of the EventBridge rule.Use the Amazon SES API to format the message. Choose an email address to be therecipient of the message.
Explanation:This solution meets the requirement of receiving an email notification about critical findingsin AWS Security Hub. Amazon EventBridge is a serverless event bus that can receiveevents from AWS services and third-party sources, and route them to targets based onrules and filters. Amazon SNS is a fully managed pub/sub service that can send messagesto various endpoints, such as email, SMS, mobile push, and HTTP. By creating anEventBridge rule that detects critical Security Hub findings and sends them to an SNStopic, the company can leverage the existing integration between these services and avoidwriting custom code or managing servers. By subscribing an email endpoint to the SNStopic, the company can receive published messages in their inbox.
Question # 20
A company has recently recovered from a security incident that required the restoration ofAmazon EC2 instances from snapshots. After performing a gap analysis of its disaster recovery procedures and backup strategies,the company is concerned that, next time, it will not be able to recover the EC2 instances ifthe AWS account was compromised and Amazon EBS snapshots were deleted.All EBS snapshots are encrypted using an AWS KMS CMK.Which solution would solve this problem?
A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots tothe new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, andapply Glacier Vault Lock policies to prevent deletion.
B. Use AWS Systems Manager to distribute a configuration that performs local backups ofall attached disks to Amazon S3.
C. Create a new AWS account with limited privileges. Allow the new account to access theAWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots tothe new account on a recurring basis.stent.
D. Use AWS Backup to copy EBS snapshots to Amazon S3.
This answer is correct because creating a new AWS account with limited privileges wouldprovide an isolated and secure backup destination for the EBS snapshots. Allowing thenew account to access the AWS KMS key used to encrypt the EBS snapshots wouldenable cross-account snapshot sharing without requiring re-encryption. Copying theencrypted snapshots to the new account on a recurring basis would ensure that thebackups are up-to-date and consi
Leave A Comment