AWS Certified Specialty SCS-C01 Dumps PDF

Option A is invalid because once you schedule the deletion and waiting period ends, you cannot come back from the deletion process.

Option C and D are invalid because these will not check to see if the keys are being used or not

The IAM Documentation mentions the following

Deleting a customer master key (CMK) in IAM Key Management Service (IAM KMS) is destructive and potentially dangerous. It deletes the key material and all metadata associated with the CMK, and is irreversible. After a CMK is deleted you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can re-enable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.

For more information on deleting keys from KMS, please visit the below URL:

https://docs.IAM.amazon.com/kms/latest/developereuide/deleting-keys.html

The correct answer is: Disable the keys Submit your Feedback/Queries to our Experts

Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy

Option D is invalid because keys for IAM users cannot be assigned to services

This is mentioned in the IAM Documentation

The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular IAM services. (IAM managed CMKs in your account, such as IAM/s3, are always restricted to the IAM service that created them.)

For example, you can use kms:V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from IAM Lambda.

For more information on key policy's for KMS please visit the following URL:

https://docs.IAM.amazon.com/kms/latest/developereuide/policy-conditions.html

The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts

The Load Balancer should accept traffic on ow port 80 and 443 traffic from 0.0.0.0/0

The backend EC2 Instances should accept traffic from the Load Balancer

The database should allow traffic from the Web server

And the Bastion host should only allow traffic from a specific corporate IP address range

Option A is incorrect because the Web group should only allow traffic from the Load balancer

For more information on IAM Security Groups, please refer to below URL:

https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/usins-network-security.htmll

The correct answer is: sgLB :allow port 80 and 443 traffic from 0.0.0.0/0

sgWeb :allow port 80 and 443 traffic from sgLB

sgDB :allow port 3306 traffic from sgWeb and sgBastion

sgBastion: allow port 22 traffic from the corporate IP address range

Submit your Feedback/Queries to our Experts

The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.

The below diagram from the IAM Documentation shows how this can be setup

C:\Users\wk\Desktop\mudassar\Untitled.jpg

Option A and C are invalid because if you move the web server to a private subnet, then it cannot be accessed by users Option D is invalid because NAT instances should be present in the public subnet

For more information on public and private subnets in IAM, please visit the following url

com/AmazonVPC/latest/UserGuide/VPC Scenario2.

The correct answer is: Consider moving the database server to a private subnet Submit your Feedback/Queries to our Experts