Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dealsixty

SCS-C02 Exam Results

Page: 11 / 24
Question 44

A security engineer is checking an AWS CloudFormation template for vulnerabilities. The security engineer finds a parameter that has a default value that exposes an application's API key in plaintext. The parameter is referenced several times throughout the template. The security engineer must replace the

parameter while maintaining the ability to reference the value in the template.

Which solution will meet these requirements in the MOST secure way?

{resolve:s3:MyBucketName:MyObjectName}}.

Options:

A.

Store the API key value as a SecureString parameter in AWS Systems Manager Parameter Store. In the template, replace all references to the value with {{resolve:ssm:MySSMParameterName:I}}.

B.

Store the API key value in AWS Secrets Manager. In the template, replace all references to the value with { {resolve:secretsmanager:MySecretId:SecretString}}.

C.

Store the API key value in Amazon DynamoDB. In the template, replace all references to the value with {{resolve:dynamodb:MyTableName:MyPrimaryKey}}.

D.

Store the API key value in a new Amazon S3 bucket. In the template, replace all references to the value with {

Question 45

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.

The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.

Why was the finding was not created in the Security Hub delegated administrator account?

Options:

A.

VPC flow logs were not turned on for the VPC where the EC2 instance was launched.

B.

The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.

C.

The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

D.

Cross-Region aggregation in Security Hub was not configured.

Question 46

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server.

The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2

instance.

Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Select TWO.)

Options:

A.

Allow port 22 from source 0.0.0.0/0.

B.

Allow port 443 from source 0.0.0.0/0.

C.

Allow port 22 from 192.168.100.0/24.

D.

Allow port 22 from 10.0.1.0/24.

E.

Allow port 443 from 10.0.1.0/24.

Question 47

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS

Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.

The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

What could be the reason for the noncompliant status?

Options:

A.

The IAM credential report was generated within the past 4 hours.

B.

The security engineer does not have the GenerateCredentialReport permission.

C.

The security engineer does not have the GetCredentialReport permission.

D.

The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Page: 11 / 24
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Apr 15, 2024
Questions: 327
SCS-C02 pdf

SCS-C02 PDF

$32  $80
SCS-C02 Engine

SCS-C02 Testing Engine

$38  $95
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$52  $130