Pre-Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bigdisc65

SCS-C02 VCE Exam Download

Page: 3 / 24
Question 12

A company uses an Amazon S3 bucket to store reports Management has mandated that all new objects stored in this bucket must be encrypted at rest using server-side encryption with a client-specified IAM Key Management Service (IAM KMS) CMK owned by the same account as the S3 bucket. The IAM account number is 111122223333, and the bucket name Is report bucket. The company's security specialist must write the S3 bucket policy to ensure the mandate can be Implemented

Which statement should the security specialist include in the policy?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

E.

Option A

F.

Option B

G.

Option C

Question 13

A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

B.

Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.

C.

Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

D.

For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Question 14

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.

What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Options:

A.

Use AWS Certificate Manager to encrypt all traffic between the client and application servers.

B.

Review the application security groups to ensure that only the necessary ports are open.

C.

Use Elastic Load Balancing to offload Secure Sockets Layer encryption.

D.

Use Amazon Inspector to periodically scan the backend instances.

E.

Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Question 15

A security analyst attempted to troubleshoot the monitoring of suspicious security group changes. The analyst was told that there is an Amazon CloudWatch alarm in place for these AWS CloudTrail log events. The analyst tested the monitoring setup by making a configuration change to the security group but did not receive any alerts.

Which of the following troubleshooting steps should the analyst perform?

Options:

A.

Ensure that CloudTrail and S3 bucket access logging is enabled for the analyst's AWS account.

B.

Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

C.

Check the CloudWatch dashboards to ensure that there is a metric configured with an appropriate dimension for security group changes.

D.

Verify that the analyst's account is mapped to an IAM policy that includes permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics.

Page: 3 / 24
Exam Code: SCS-C02
Exam Name: AWS Certified Security - Specialty
Last Update: Oct 10, 2024
Questions: 327
SCS-C02 pdf

SCS-C02 PDF

$28  $80
SCS-C02 Engine

SCS-C02 Testing Engine

$33.25  $95
SCS-C02 PDF + Engine

SCS-C02 PDF + Testing Engine

$45.5  $130