Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dealsixty

Amazon Web Services SCS-C02 Online Access

Page: 10 / 24
Question 40

A company uses identity federation to authenticate users into an identity account (987654321987) where the users assume an IAM role named IdentityRole. The users then assume an IAM role named JobFunctionRole in the target IAM account (123456789123) to perform their job functions.

A user is unable to assume the IAM role in the target account. The policy attached to the role in the identity account is:

What should be done to enable the user to assume the appropriate role in the target account?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 41

A security engineer is trying to use Amazon EC2 Image Builder to create an image of an EC2 instance. The security engineer has configured the pipeline to send logs to an Amazon S3 bucket. When the security engineer runs the pipeline, the build fails with the following error: “AccessDenied: Access Denied status code: 403”.

The security engineer must resolve the error by implementing a solution that complies with best practices for least privilege access.

Which combination of steps will meet these requirements? (Choose two.)

Options:

A.

Ensure that the following policies are attached to the IAM role that the security engineer is using: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

B.

Ensure that the following policies are attached to the instance profile for the EC2 instance: EC2InstanceProfileForImageBuilder, EC2InstanceProfileForImageBuilderECRContainerBuilds, and AmazonSSMManagedInstanceCore.

C.

Ensure that the AWSImageBuilderFullAccess policy is attached to the instance profile for the EC2 instance.

D.

Ensure that the security engineer’s IAM role has the s3:PutObject permission for the S3 bucket.

E.

Ensure that the instance profile for the EC2 instance has the s3:PutObject permission for the S3 bucket.

Question 42

A company deployed an Amazon EC2 instance to a VPC on AWS. A recent alert indicates that the EC2 instance is receiving a suspicious number of requests over an open TCP port from an external source. The TCP port remains open for long periods of time.

The company's security team needs to stop all activity to this port from the external source to ensure that the EC2 instance is not being compromised. The application must remain available to other users.

Which solution will mefet these requirements?

Options:

A.

Update the network ACL that is attached to the subnet that is associated with the EC2 instance. Add a Deny statement for the port and the source IP addresses.

B.

Update the elastic network interface security group that is attached to the EC2 instance to remove the port from theinbound rule list.

C.

Update the elastic network interface security group that is attached to the EC2 instance by adding a Deny entry in the inbound list for the port and the source

IP addresses.

D.

Create a new network ACL for the subnet. Deny all traffic from the EC2 instance to prevent data from being removed.

Question 43

A security engineer needs to implement a write-once-read-many (WORM) model for data that a company will store in Amazon S3 buckets. The company uses the S3 Standard storage class for all of its S3 buckets. The security engineer must en-sure that objects cannot be overwritten or deleted by any user, including the AWS account root user.

Which solution will meet these requirements?

Options:

A.

Create new S3 buckets with S3 Object Lock enabled in compliance mode. Place objects in the S3 buckets.

B.

Use S3 Glacier Vault Lock to attach a Vault Lock policy to new S3 buckets. Wait 24 hours to complete the Vault Lock process. Place objects in the S3 buckets.

C.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Place objects in the S3 buckets.

D.

Create new S3 buckets with S3 Object Lock enabled in governance mode. Add a legal hold to the S3 buckets. Place objects in the S3 buckets.

Page: 10 / 24
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Apr 15, 2024
Questions: 327
SCS-C02 pdf

SCS-C02 PDF

$32  $80
SCS-C02 Engine

SCS-C02 Testing Engine

$38  $95
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$52  $130