SCS-C01 Exam Questions Tutorials

Page: 41 / 43

Question 164

A company has multiple IAM accounts that are part of IAM Organizations. The company's Security team wants to ensure that even those Administrators with full access to the company's IAM accounts are unable to access the company's Amazon S3 buckets

How should this be accomplished?

Options:

UseSCPs

Add a permissions boundary to deny access to Amazon S3 and attach it to all roles

Use an S3 bucket policy

Create a VPC endpoint for Amazon S3 and deny statements for access to Amazon S3

Question 165

A security engineer has noticed an unusually high amount of traffic coming from a single IP address. This was discovered by analyzing the Application Load Balancer's access logs. How can the security engineer limit the number of requests from a specific IP address without blocking the IP address?

Options:

Add a rule to the Application Load Balancer to route the traffic originating from the IP address in question and show a static webpage.

Implement a rate-based rule with IAM WAF

Use IAM Shield to limit the originating traffic hit rate.

Implement the GeoLocation feature in Amazon Route 53.

Question 166

A company's information security team want to do near-real-time anomaly detection on Amazon EC2 performance and usage statistics. Log aggregation is the responsibility of a security engineer. To do the study, the Engineer needs gather logs from all of the company's IAM accounts in a single place.

How should the Security Engineer go about doing this?

Options:

Log in to each account four times a day and filter the IAM CloudTrail log data, then copy and paste the logs in to the Amazon S3 bucket in the destination account.

Set up Amazon CloudWatch to stream data to an Amazon S3 bucket in each source account. Set up bucket replication for each source account into a centralized bucket owned by the Security Engineer.

Set up an IAM Config aggregator to collect IAM configuration data from multiple sources.

Set up Amazon CloudWatch cross-account log data sharing with subscriptions in each account. Send the logs to Amazon Kinesis Data Firehose in the Security Engineer's account.

Question 167

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?