Helping Hand Questions for SCS-C01

Page: 28 / 43

Question 112

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.

Which combination of steps should the security engineer take to accomplish this? (Select TWO.)

Options:

Create an IAM Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the IAM Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Use IAM System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database

Question 113

A company deploys a distributed web application on a fleet of Amazon EC2 instances. The fleet is behind an Application Load Balancer (ALB) that will be configured to terminate the TLS connection. All TLS traffic to the ALB must stay secure, even if the certificate private key is compromised.

How can a security engineer meet this requirement?

Options:

Create an HTTPS listener that uses a certificate that is managed by IAM Certificate Manager (ACM).

Create an HTTPS listener that uses a security policy that uses a cipher suite with perfect toward secrecy (PFS).

Create an HTTPS listener that uses the Server Order Preference security feature.

Create a TCP listener that uses a custom security policy that allows only cipher suites with perfect forward secrecy (PFS).

Question 114

A security engineer configures Amazon S3 Cross-Region Replication (CRR) for all objects that are in an S3 bucket in the us-east-1. Region Some objects in this S3 bucket use server-side encryption with AWS KMS keys (SSE-KMS) for encryption at test. The security engineer creates a destination S3 bucket in the us-west-2 Region. The destination S3 bucket is in the same AWS account as the source S3 bucket.

The security engineer also creates a customer managed key in us-west-2 to encrypt objects at rest in the destination S3 bucket. The replication configuration is set to use the key in us-west-2 to encrypt objects in the destination S3 bucket. The security engineer has provided the S3 replication configuration with an IAM role to perform the replication in Amazon S3.

After a day, the security engineer notices that no encrypted objects from the source S3 bucket are replicated to the destination S3 bucket. However, all the unencrypted objects are replicated.

Which combination of steps should the security engineer take to remediate this issue? (Select THREE.)

Options:

Change the replication configuration to use the key in us-east-1 to encrypt the objects that are in the destination S3 bucket.

Grant the IAM role the kms. Encrypt permission for the key in us-east-1 that encrypts source objects.

Grant the IAM role the s3 GetObjectVersionForReplication permission for objects that are in the source S3 bucket.

Grant the IAM role the kms. Decrypt permission for the key in us-east-1 that encrypts source objects.

Change the key policy of the key in us-east-1 to grant the kms. Decrypt permission to the security engineer's IAM account.

Grant the IAM role the kms Encrypt permission for the key in us-west-2 that encrypts objects that are in the destination S3 bucket.

Question 115

A security engineer must troubleshoot an administrator's inability to make an existing Amazon S3 bucket public in an account that is part of an organization n IAM Organizations. The administrator switched the role from the master account to a member account and then attempted to make one S3 bucket public. This action was immediately denied

Which actions should the security engineer take to troubleshoot the permissions issue? (Select TWO.)

Options:

Review the cross-account role permissions and the S3 bucket policy Verify that the Amazon S3 block public access option in the member account is deactivated.

Review the role permissions m the master account and ensure it has sufficient privileges to perform S3 operations

Filter IAM CloudTrail logs for the master account to find the original deny event and update the cross-account role m the member account accordingly Verify that the Amazon S3 block public access option in the master account is deactivated.

Evaluate the SCPs covering the member account and the permissions boundary of the role in the member account for missing permissions and explicit denies.

Ensure the S3 bucket policy explicitly allows the s3 PutBucketPublicAccess action for the role m the member account

Page: 28 / 43