AWS Certified Specialty Changed SCS-C01 Questions

Page: 17 / 43

Question 68

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below

Please select:

Options:

Add the EC2 instance role as a trusted service to the SSM service role.

Add permission to use the KMS key to decrypt to the SSM service role.

Add permission to read the SSM parameter to the EC2 instance role. .

Add permission to use the KMS key to decrypt to the EC2 instance role

Add the SSM service role as a trusted service to the EC2 instance role.

Question 69

A company stores data on an Amazon EBS volume attached to an Amazon EC2 instance. The data is asynchronously replicated to an Amazon S3 bucket. Both the EBS volume and the S3 bucket are encrypted with the same IAM KMS Customer Master Key (CMK). A former employee scheduled a deletion of that CMK before leaving the company.

The company’s Developer Operations department learns about this only after the CMK has been deleted.

Which steps must be taken to address this situation?

Options:

Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

Recover the data from the EBS encrypted volume using an earlier version of the KMS backing key.

Make a request to IAM Support to recover the S3 encrypted data.

Make a request to IAM Support to restore the deleted CMK, and use it to recover the data.

Question 70

Your IT Security team has advised to carry out a penetration test on the resources in their company's IAM Account. This is as part of their capability to analyze the security of the Infrastructure. What should be done first in this regard?

Please select:

Options:

Turn on Cloud trail and carry out the penetration test

Turn on VPC Flow Logs and carry out the penetration test

Submit a request to IAM Support

Use a custom IAM Marketplace solution for conducting the penetration test

Question 71

A Developer who is following IAM best practices for secure code development requires an application to encrypt sensitive data to be stored at rest, locally in the application, using IAM KMS. What is the simplest and MOST secure way to decrypt this data when required?

Options:

Request KMS to provide the stored unencrypted data key and then use the retrieved data key to decrypt the data.

Keep the plaintext data key stored in Amazon DynamoDB protected with IAM policies. Query DynamoDB to retrieve the data key to decrypt the data

Use the Encrypt API to store an encrypted version of the data key with another customer managed key. Decrypt the data key and use it to decrypt the data when required.

Store the encrypted data key alongside the encrypted data. Use the Decrypt API to retrieve the data key to decrypt the data when required.