SCS-C02 Exam Dumps - Amazon Web Services AWS Certified Specialty Questions and Answers

Turn on the awslogs log driver by specifying parameters for awslogs-group and awslogs-region m the LogConfiguration property

Download and configure the CloudWatch agent on the container instances

Set up Fluent Bit and FluentO as a DaemonSet to send logs to Amazon CloudWatch Logs

Configure an 1AM policy that includes the togs CreateLogGroup action Assign the policy to the container instances

Attach a policy to the IAM user to allow the user to assume the role that was created in the top-level account. Specify the role's ARN in the policy.

Create an SCP that grants permissions to the top-level account.

Use the root account of the business unit account to assume the role that was created in the top-level account. Specify the role'sARNin the policy.

Forward the credentials of the IAM role in the top-level account to the IAM user in the business unit account.

Enable AWS Security Hub in the organization’s management account. Configure GuardDuty within the management account to send all GuardDuty findings toSecurity Hub.

Create a new AWS account in the organization. Enable GuardDuty in the new account. Designate the new account as the delegated administrator account forGuardDuty. Configure GuardDuty to add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization

Create a new AWS account in the organization. Enable GuardDuty in the new account. Enable AWS Security Hub in each account. Select the option toautomatically add new AWS accounts to the organization.

Enable AWS Security Hub in the organization's management account. Designate the management account as the delegated administrator account for SecurityHub. Add existing accounts as member accounts. Select the option to automatically add new AWS accounts to the organization. Send all Security Hub findingsto the organization's GuardDuty account.

Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted Ul.

Update the application's Amazon Cognito user pool to configure a geographic restriction setting.

Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted Ul.

Create CloudFormation templates in an administrator AWS account. Share the stack sets with an application AWS account. Restrict the template to be used specifically by the application AWS account.

Create CloudFormation templates in an application AWS account. Share the output with an administrator AWS account to review compliant resources. Restrict output to only the administrator AWS account.

Use permissions boundaries to prevent the application AWS account from provisioning specific resources unless conditions for the internal compli-ance requirements are met.

Use SCPs to prevent the application AWS account from provisioning specific resources unless conditions for the internal compliance requirements are met.

Activate AWS Config managed rules for each service in the application AWS account.

Review the IAM CloudTrail event history logs in an Amazon S3 bucket and look for the Terminatelnstances event to identify the federated user from the role session name.

Filter the IAM CloudTrail event history for the Terminatelnstances event and identify the assumed IAM role. Review the AssumeRoleWithSAML event call in CloudTrail to identify the corresponding username.

Search the IAM CloudTrail logs for the Terminatelnstances event and note the event time. Review the IAM Access Advisor tab for all federated roles. The last accessed time should match the time when the instance was terminated.

Use Amazon Athena to run a SQL query on the IAM CloudTrail logs stored in an Amazon S3 bucket and filter on the Terminatelnstances event. Identify the corresponding role and run another query to filter the AssumeRoleWithWebldentity event for the user name.

Deploy an SCP that includes the S3: * action with the "awsSourceVpc": "S {aws: Ec2lnstanceSourceVpc}" condition.

Edit the VPC endpoints to include the S3:' action with the "aws: Ec2lnstanceSourcePrivatelPv4": "${aws:VpcSourcelp}" condition.

Limit all actions in the S3 bucket policies by using the aws:SourceVpce condition key with the value of the allowed VPC endpoint.

Limit all actions in the S3 bucket policies by using the aws:SourceVpc condition key with the value to the allowed VPC ID.

Open a support case with the IAM Security team and ask them to remove the malicious code from the affected instance

Respond to the notification and list the actions that have been taken to address the incident

Delete all IAM users and resources in the account

Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the security groups, and create a NACL rule to deny all traffic Inbound from the internet

Delete the identified compromised instances and delete any associated resources that the Security team did not create.

Enable Amazon Macie. Run an on-demand sensitive data discovery job that uses the PERSONALJNFORMATION managed data identifier.

Use AWS Glue with the Detect Pll transform to identify sensitive data and to mask the sensitive data.

Enable AWS Audit Manager. Create an assessment by using a supported framework.

Enable Amazon GuardDuty S3 Protection Document any findings that are related to suspicious access of S3 buckets.

Enable AWS Security Hub. Use the AWS Foundational Security Best Practices standard. Review the controls dashboard for evidence of failed S3 Block Public Access controls.

Enable AWS Config Set up the s3-bucket-public-write-prohibited AWS Config managed rule.

Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region

Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0

Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups