Online SCS-C01 Questions Video

Page: 40 / 43

Question 160

A company is using IAM Organizations to manage multiple IAM accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an IAM KMS CMK However when users try to access the files in the S3 bucket they get an access denied error.

What should a Security Engineer do to troubleshoot this error? (Select THREE )

Options:

Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK

Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket

Ensure the CMK was created before the S3 bucket.

Ensure the S3 block public access feature is enabled for the S3 bucket.

Ensure that automatic key rotation is disabled for the CMK

Ensure the SCPs within Organizations allow access to the S3 bucket.

Question 161

A company has multiple production IAM accounts. Each account has IAM CloudTrail configured to log to a single Amazon S3 bucket in a central account. Two of the production accounts have trails that are not logging anything to the S3 bucket.

Which steps should be taken to troubleshoot the issue? (Choose three.)

Options:

Verify that the log file prefix is set to the name of the S3 bucket where the logs should go.

Verify that the S3 bucket policy allows access for CloudTrail from the production IAM account IDs.

Create a new CloudTrail configuration in the account, and configure it to log to the account’s S3 bucket.

Confirm in the CloudTrail Console that each trail is active and healthy.

Open the global CloudTrail configuration in the master account, and verify that the storage location is set to the correct S3 bucket.

Confirm in the CloudTrail Console that the S3 bucket name is set correctly.

Question 162

A Web Administrator for the website example.com has created an Amazon CloudFront distribution for dev.example.com, with a requirement to configure HTTPS using a custom TLS certificate imported to IAM Certificate Manager.

Which combination of steps is required to ensure availability of the certificate in the CloudFront console? (Choose two.)

Options:

Call UploadServerCertificate with /cloudfront/dev/ in the path parameter.

Import the certificate with a 4,096-bit RSA public key.

Ensure that the certificate, private key, and certificate chain are PKCS #12-encoded.

Import the certificate in the us-east-1 (N. Virginia) Region.

Ensure that the certificate, private key, and certificate chain are PEM-encoded.

Question 163

An employee accidentally exposed an IAM access key and secret access key during a public presentation. The company Security Engineer immediately disabled the key.

How can the Engineer assess the impact of the key exposure and ensure that the credentials were not misused? (Choose two.)