DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 Updated SCS-C02 Exam Questions & Practice Tests, AWS Certified Security - Specialty | SPOTO

The AWS Certified Security - Specialty (SCS-C02) exam is a comprehensive test that evaluates your proficiency in creating and implementing security solutions within the AWS Cloud environment. This certification signifies your mastery of professional data classification, AWS data protection mechanisms, data encryption methods, and their implementations in AWS. Additionally, it validates your knowledge of secure Internet protocols and their integration with AWS security mechanisms. Prepare for success with our updated 2024 SCS-C02 Exam Questions & Practice Tests. Access a range of exam questions, practice tests, and sample questions to enhance your understanding and readiness. Our resources include free quizzes, exam materials, and exam answers to help you practice effectively. Utilize our exam simulator for a realistic exam experience and boost your confidence for the actual test.

Take other online exams
Question #1
A company runs workloads in the us-east-1 Region. The company has never deployed resources to other AWS Regions and does not have any multi-Region resources. The company needs to replicate its workloads and infrastructure to the us-west-1 Region. A security engineer must implement a solution that uses AWS Secrets Manager to store secrets in both Regions. The solution must use AWS Key Management Service (AWS KMS) to encrypt the secrets. The solution must minimize latency and must be able to work if only one
A. ncrypt the secrets in us-east-1 by using an AWS managed KMS key
B. ncrypt the secrets in us-east-1 by using an AWS managed KMS key
C. ncrypt the secrets in us-east-1 by using a customer managed KMS key
D. ncrypt the secrets in us-east-1 by using a customer managed KMS key
View answer
Correct Answer: D
Question #2
A company's Director of information Security wants a daily email report from IAM that contains recommendations for each company account to meet IAM Security best practices. Which solution would meet these requirements?
A. in every IAM account, configure IAM Lambda to query me IAM Support API tor IAM Trusted Advisor security checks Send the results from Lambda to an Amazon SNS topic to send reports
B. Configure Amazon GuardDuty in a master account and invite all other accounts to be managed by the master account Use GuardDuty's integration with Amazon SNS to report on findings
C. Use Amazon Athena and Amazon QuickSight to build reports off of IAM CloudTrail Create a daily Amazon CloudWatch trigger to run the report dally and email It using Amazon SNS
D. Use IAM Artifact's prebuilt reports and subscriptions Subscribe the Director of Information Security to the reports by adding the Director as the security alternate contact tor each account
View answer
Correct Answer: BD
Question #3
During a recent security audit, it was discovered that multiple teams in a large organization have placed restricted data in multiple Amazon S3 buckets, and the data may have been exposed. The auditor has requested that the organization identify all possible objects that contain personally identifiable information (PII) and then determine whether this information has been accessed. What solution will allow the Security team to complete this request?
A. Using Amazon Athena, query the impacted S3 buckets by using the PII query identifier functio
B. Then, create a new Amazon CloudWatch metric for Amazon S3 object access to alert when the objects are accessed
C. Enable Amazon Macie on the S3 buckets that were impacted, then perform data classificatio
D. For identified objects that contain PII, use the research function for auditing IAM CloudTrail logs and S3 bucket logs for GET operations
E. Enable Amazon GuardDuty and enable the PII rule set on the S3 buckets that were impacted, then perform data classificatio
F. Using the PII findings report from GuardDuty, query the S3 bucket logs by using Athena for GET operations
View answer
Correct Answer: A
Question #4
A security engineer is asked to update an AW3 CoudTrail log file prefix for an existing trail. When attempting to save the change in the CloudTrail console, the security engineer receives the following error message. "There is a problem with the bucket policy'' What will enable the security engineer to saw the change?
A. Create a new trail with the updated log file prefix, and then delete the original nail Update the existing bucket policy in the Amazon S3 console with the new log the prefix, and then update the log file prefix in the CloudTrail console
B. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform PutBucketPolic
C. and then update the log file prefix in the CloudTrail console
D. Update the existing bucket policy in the Amazon S3 console with the new log file prefix, and then update the log file prefix in the CloudTrail console
E. Update the existing bucket policy in the Amazon S3 console to allow the security engineers principal to perform GetBucketPolicy, and then update the log file prefix in the CloudTrail console
View answer
Correct Answer: A
Question #5
A security engineer is configuring a mechanism to send an alert when three or more failed sign-in attempts to the AWS Management Console occur during a 5-minute period. The security engineer creates a trail in AWS CloudTrail to assist in this work. Which solution will meet these requirements? The correct answer is B. Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage m
A. n CloudTrail, turn on Insights events on the trail
B. onfigure CloudTrail to send events to Amazon CloudWatch Logs
C. reate an Amazon Athena table from the CloudTrail events
D. n AWS Identity and Access Management Access Analyzer, create a new analyzer
View answer
Correct Answer: B
Question #6
A Security Engineer has discovered that, although encryption was enabled on the Amazon S3 bucket example bucket, anyone who has access to the bucket has the ability to retrieve the files. The Engineer wants to limit access to each IAM user can access an assigned folder only. What should the Security Engineer do to achieve this?
A. Use envelope encryption with the IAM-managed CMK IAM/s3
B. Create a customer-managed CMK with a key policy granting “kms:Decrypt” based on the “${IAM:username}” variable
C. Create a customer-managed CMK for each use
D. Add each user as a key user in their corresponding key policy
E. Change the applicable IAM policy to grant S3 access to “Resource”: “arn:IAM:s3:::examplebucket/${IAM:username}/*”
View answer
Correct Answer: B
Question #7
A company's Security Engineer has been asked to monitor and report all IAM account root user activities. Which of the following would enable the Security Engineer to monitor and report all root user activities? (Select TWO)
A. Configuring IAM Organizations to monitor root user API calls on the paying account
B. Creating an Amazon CloudWatch Events rule that will trigger when any API call from the root user is reported
C. Configuring Amazon Inspector to scan the IAM account for any root user activity
D. Configuring IAM Trusted Advisor to send an email to the Security team when the root user logs in to the console
E. Using Amazon SNS to notify the target group
View answer
Correct Answer: D
Question #8
Your company has mandated that all calls to the IAM KMS service be recorded. How can this be achieved? Please select:
A. Enable logging on the KMS service
B. Enable a trail in Cloudtrail
C. Enable Cloudwatch logs
D. Use Cloudwatch metrics
View answer
Correct Answer: C
Question #9
A company needs to implement DNS Security Extensions (DNSSEC) for a specific subdomain. The subdomain is already registered with Amazon Route 53. A security engineer has enabled DNSSEC signing and has created a key-signing key (KSK). When the security engineer tries to test the configuration, the security engineer receives an error for a broken trust chain. What should the security engineer do to resolve this error?
A. eplace the KSK with a zone-signing key (ZSK)
B. eactivate and then activate the KSK
C. reate a Delegation Signer (DS) record in the parent hosted zone
D. reate a Delegation Signer (DS) record in the subdomain
View answer
Correct Answer: C
Question #10
During a security event, it is discovered that some Amazon EC2 instances have not been sending Amazon CloudWatch logs. Which steps can the Security Engineer take to troubleshoot this issue? (Select two.)
A. Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running
B. Log in to the IAM account and select CloudWatch Log
C. Check for any monitored EC2 instances that are in the “Alerting” state and restart them using the EC2 console
D. Verify that the EC2 instances have a route to the public IAM API endpoints
E. Connect to the EC2 instances that are not sending log
F. Use the command prompt to verify that the right permissions have been set for the Amazon SNS topic
View answer
Correct Answer: B
Question #11
A Software Engineer wrote a customized reporting service that will run on a fleet of Amazon EC2 instances. The company security policy states that application logs for the reporting service must be centrally collected. What is the MOST efficient way to meet these requirements?
A. Write an IAM Lambda function that logs into the EC2 instance to pull the application logs from the EC2 instance and persists them into an Amazon S3 bucket
B. Enable IAM CloudTrail logging for the IAM account, create a new Amazon S3 bucket, and then configure Amazon CloudWatch Logs to receive the application logs from CloudTrail
C. Create a simple cron job on the EC2 instances that synchronizes the application logs to an Amazon S3 bucket by using rsync
D. Install the Amazon CloudWatch Logs Agent on the EC2 instances, and configure it to send the application logs to CloudWatch Logs
View answer
Correct Answer: A
Question #12
A company uses multiple IAM accounts managed with IAM Organizations Security engineers have created a standard set of security groups for all these accounts. The security policy requires that these security groups be used for all applications and delegates modification authority to the security team only. A recent security audit found that the security groups are inconsistency implemented across accounts and that unauthorized changes have been made to the security groups. A security engineer needs to recomm
A. Use IAM Resource Access Manager to create shared resources for each requited security group and apply an IAM policy that permits read-only access to the security groups only
B. Create an IAM CloudFormation template that creates the required security groups Execute the template as part of configuring new accounts Enable Amazon Simple Notification Service (Amazon SNS) notifications when changes occur
C. Use IAM Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation
D. Use IAM Control Tower to edit the account factory template to enable the snare security groups option Apply an SCP to the OU or individual accounts that prohibits security group modifications from local account users
View answer
Correct Answer: A
Question #13
A Security Administrator is performing a log analysis as a result of a suspected IAM account compromise. The Administrator wants to analyze suspicious IAM CloudTrail log files but is overwhelmed by the volume of audit logs being generated. What approach enables the Administrator to search through the logs MOST efficiently?
A. Implement a “write-only” CloudTrail event filter to detect any modifications to the IAM account resources
B. Configure Amazon Macie to classify and discover sensitive data in the Amazon S3 bucket that contains the CloudTrail audit logs
C. Configure Amazon Athena to read from the CloudTrail S3 bucket and query the logs to examine account activities
D. Enable Amazon S3 event notifications to trigger an IAM Lambda function that sends an email alarm when there are new CloudTrail API entries
View answer
Correct Answer: A
Question #14
A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other IAM account resources by using the EC2 instance metadata service. What can the Administrator do to protect against this potential attack?
A. Disable the EC2 instance metadata service
B. Log all student SSH interactive session activity
C. Implement ip tables-based restrictions on the instances
D. Install the Amazon Inspector agent on the instances
View answer
Correct Answer: B
Question #15
Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet. Which of the following mitigations should be recommended?
A. Use IAM Config to detect whether an Internet Gateway is added and use an IAM Lambda function to provide auto-remediation
B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses
C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet
D. Move the workload to a Dedicated Host, as this provides additional network security controls andmonitorin
View answer
Correct Answer: A
Question #16
A Security Engineer for a large company is managing a data processing application used by 1,500 subsidiary companies. The parent and subsidiary companies all use IAM. The application uses TCP port 443 and runs on Amazon EC2 behind a Network Load Balancer (NLB). For compliance reasons, the application should only be accessible to the subsidiaries and should not be available on the public internet. To meet the compliance requirements for restricted access, the Engineer has received the public and private CIDR
A. Create a NACL to allow access on TCP port 443 from the 1;500 subsidiary CIDR block ranges
B. Create an IAM security group to allow access on TCP port 443 from the 1,500 subsidiary CIDR block range
C. Associate the security group to the NL
D. Create a second security group for EC2 instances with access on TCP port 443 from the NLB security group
E. Create an IAM PrivateLink endpoint service in the parent company account attached to the NL
F. Create an IAM security group for the instances to allow access on TCP port 443 from the IAM PrivateLink endpoin G
View answer
Correct Answer: A
Question #17
A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?
A. Use IAM Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers
B. Create a self-signed certificate in one container and use IAM Secrets Manager to distribute the certificate to the other containers to establish trust
C. Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API
D. Use IAM Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use IAM Certificate Manager to generate the private certificates and deploy them to all the containers
View answer
Correct Answer: ADF
Question #18
A company has several production IAM accounts and a central security IAM account. The security account is used for centralized monitoring and has IAM privileges to all resources in every corporate account. All of the company's Amazon S3 buckets are tagged with a value denoting the data classification of their contents. A Security Engineer is deploying a monitoring solution in the security account that will enforce bucket policy compliance. The system must monitor S3 buckets in all production accounts and co
A. Configure Amazon CloudWatch Events in the production accounts to send all S3 events to the security account event bus
B. Enable Amazon GuardDuty in the security accoun
C. and join the production accounts as members
D. Configure an Amazon CloudWatch Events rule in the security account to detect S3 bucket creation or modification events
E. Enable IAM Trusted Advisor and activate email notifications for an email address assigned to the security contact
F. Invoke an IAM Lambda function in the security account to analyze S3 bucket settings in response to S3 events, and send non-compliance notifications to the Security team
View answer
Correct Answer: BEF
Question #19
A company plans to use custom AMIs to launch Amazon EC2 instances across multiple IAM accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed IAM KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the
A. Create a customer-managed CMK in the centralized accoun
B. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key polic
C. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operation
D. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances
E. Create a customer-managed CMK in the centralized accoun
F. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key polic G
View answer
Correct Answer: A
Question #20
A company hosts a critical web application on the IAM Cloud. This is a key revenue generating application for the company. The IT Security team is worried about potential DDos attacks against the web site. The senior management has also specified that immediate action needs to be taken in case of a potential DDos attack. What should be done in this regard? Please select:
A. Consider using the IAM Shield Service
B. Consider using VPC Flow logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack
C. Consider using the IAM Shield Advanced Service
D. Consider using Cloudwatch logs to monitor traffic for DDos attack and quickly take actions on a trigger of a potential attack
View answer
Correct Answer: A
Question #21
A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less Which IAM Key Management Service (IAM KMS) key solution will allow the security engineer to meet these requirements?
A. Use Imported key material with CMK
B. Use an IAM KMS CMK
C. Use an IAM managed CMK
D. Use an IAM KMS customer managed CMK
View answer
Correct Answer: A
Question #22
A company has complex connectivity rules governing ingress, egress, and communications between Amazon EC2 instances. The rules are so complex that they cannot be implemented within the limits of the maximum number of security groups and network access control lists (network ACLs). What mechanism will allow the company to implement all required network rules without incurring additional cost?
A. Configure IAM WAF rules to implement the required rules
B. Use the operating system built-in, host-based firewall to implement the required rules
C. Use a NAT gateway to control ingress and egress according to the requirements
D. Launch an EC2-based firewall product from the IAM Marketplace, and implement the required rules in that product
View answer
Correct Answer: D
Question #23
A company wants to encrypt the private network between its orvpremises environment and IAM. The company also wants a consistent network experience for its employees. What should the company do to meet these requirements?
A. Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gatewa
B. In the Direct Connect gateway configuration, enable IPsec and BGP, and then leverage native IAM network encryption between Availability Zones and Regions,
C. Establish an IAM Direct Connect connection with IAM and set up a Direct Connect gatewa
D. Using the Direct Connect gateway, create a private virtual interface and advertise the customer gateway private IP addresse
E. Create a VPN connection using the customer gateway and the virtual private gateway
F. Establish a VPN connection with the IAM virtual private cloud over the internet G
View answer
Correct Answer: B
Question #24
A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances but a Security Engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity. This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates However, the Security team does not want the application's EC2 instance exposed directly to the internet The Security Engineer
A. Launch a NAT instance in the public subnet Update the custom route table with a new route to the NAT instance
B. Remove the internet gateway, and add IAM PrivateLink to the VPC Then update the custom route table with a new route to IAM PrivateLink
C. Add a managed NAT gateway to the VPC Update the custom route table with a new route to the gateway
D. Add an egress-only internet gateway to the VP
E. Update the custom route table with a new route to thegateway
View answer
Correct Answer: A
Question #25
An IAM user with fill EC2 permissions could bot start an Amazon EC2 instance after it was stopped for a maintenance task. Upon starting the instance, the instance state would change to “Pending”, but after a few seconds, it would switch back to “Stopped”. An inspection revealed that the instance has attached Amazon EBS volumes that were encrypted by using a Customer Master Key (CMK). When these encrypted volumes were detached, the IAM user was able to start the EC2 instances. The IAM user policy is as follo
A. kms:GenerateDataKey
B. kms:Decrypt
C. kms:CreateGrant
D. “Condition”: {“Bool”: {“kms:ViaService”: “ec2
E. “Condition”: {“Bool”: {“kms:GrantIsForIAMResource”: true}}
View answer
Correct Answer: B
Question #26
Your company has a set of 1000 EC2 Instances defined in an IAM Account. They want to effectively automate several administrative tasks on these instances. Which of the following would be an effective way to achieve this? Please select:
A. Use the IAM Systems Manager Parameter Store
B. Use the IAM Systems Manager Run Command
C. Use the IAM Inspector
D. Use IAM Config
View answer
Correct Answer: C
Question #27
A Security Engineer is working with a Product team building a web application on IAM. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider. Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)
A. Create a custom authorization service using IAM Lambda
B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes
C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party
D. Configure an Amazon Cognito identity pool to integrate with social login providers
E. Update DynamoDB to store the user email addresses and passwords
F. Update API Gateway to use a COGNITO_USER_POOLS authorizer
View answer
Correct Answer: A
Question #28
A Security Administrator is restricting the capabilities of company root user accounts. The company uses IAM Organizations and has enabled it for all feature sets, including consolidated billing. The top-level account is used for billing and administrative purposes, not for operational IAM resource purposes. How can the Administrator restrict usage of member root user accounts across the organization?
A. Disable the use of the root user account at the organizational roo
B. Enable multi-factor authentication of the root user account for each organizational member account
C. Configure IAM user policies to restrict root account capabilities for each Organizations member account
D. Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root use
E. Add all operational accounts to the new OU
F. Configure IAM CloudTrail to integrate with Amazon CloudWatch Logs and then create a metric filter for RootAccountUsage
View answer
Correct Answer: DEF
Question #29
A company uses infrastructure as code (IaC) to create AWS infrastructure. The company writes the code as AWS CloudFormation templates to deploy the infrastructure. The company has an existing CI/CD pipeline that the company can use to deploy these templates. After a recent security audit, the company decides to adopt a policy-as-code approach to improve the company's security posture on AWS. The company must prevent the deployment of any infrastructure that would violate a security policy, such as an unencr
A. urn on AWS Trusted Advisor
B. urn on AWS Config
C. reate rule sets in AWS CloudFormation Guard
D. reate rule sets as SCPs
View answer
Correct Answer: C
Question #30
A Developer is building a serverless application that uses Amazon API Gateway as the front end. The application will not be publicly accessible. Other legacy applications running on Amazon EC2 will make calls to the application A Security Engineer Has been asked to review the security controls for authentication and authorization of the application Which combination of actions would provide the MOST secure solution? (Select TWO )
A. Configure an IAM policy that allows the least permissive actions to communicate with the API Gateway Attach the policy to the role used by the legacy EC2 instances
B. Enable IAM WAF for API Gateway Configure rules to explicitly allow connections from the legacy EC2 instances
C. Create a VPC endpoint for API Gateway Attach an IAM resource policy that allows the role of the legacy EC2 instances to call specific APIs
D. Create a usage plan Generate a set of API keys for each application that needs to call the API
E. Configure cross-origin resource sharing (CORS) in each API Share the CORS information with the applications that call the API
View answer
Correct Answer: AE
Question #31
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an EC2 Auto Scaling group across multiple Availability Zones. The website is under a DDoS attack by a specific loT device brand that is visible in the user agent A security engineer needs to mitigate the attack without impacting the availability of the public website. What should the security engineer do to accomplish this?
A. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT devic
B. Associate the v/eb ACL with the ALB
C. Configure an Amazon CloudFront distribution to use the ALB as an origi
D. Configure a web ACL rule for IAM WAF to block requests with a string match condition for the user agent of the loT devic
E. Associate the web ACL with the ALB Change the public DNS entry of the website to point to the CloudFront distribution
F. Configure an Amazon CloudFront distribution to use a new ALB as an origi G
View answer
Correct Answer: B
Question #32
A company's on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior. The company wants to introduce a similar capability to its IAM accounts that includes automatic remediation. The company expects to double in size within the next few months. Which solution meets the company's current and future logging requirements?
A. Enable Amazon GuardDuty and IAM Security Hub in all Regions and all account
B. Designate a master security account to receive all alerts from the child account
C. Set up specific rules within Amazon Even;Bridge to trigger an IAM Lambda function for remediation steps
D. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security accoun
E. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps
F. Ingest all IAM CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security accoun G
View answer
Correct Answer: B
Question #33
Your company has an EC2 Instance hosted in IAM. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue? Please select:
A. Use the VPC Flow Logs
B. Use a network monitoring tool provided by an IAM partner
C. Use another instanc
D. Setup a port to "promiscuous mode" and sniff the traffic to analyze the packet
E. Use Cloudwatch metric
View answer
Correct Answer: D
Question #34
A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules. What would resolve the connectivity issue?
A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range
B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port
C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range
D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port
View answer
Correct Answer: C
Question #35
An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK. Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below Please select:
A. Add the EC2 instance role as a trusted service to the SSM service role
B. Add permission to use the KMS key to decrypt to the SSM service role
C. Add permission to read the SSM parameter to the EC2 instance rol
D.
E. Add permission to use the KMS key to decrypt to the EC2 instance role
F. Add the SSM service role as a trusted service to the EC2 instance role
View answer
Correct Answer: B
Question #36
An organization has three applications running on IAM, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an IAM KMS Customer Master Key (CMK). What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?
A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3
B. Have each application assume an IAM role that provides permissions to use the IAM Certificate Manager CMK
C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK
D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK
View answer
Correct Answer: AD
Question #37
An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?
A. Remove the instance from the load balancer and terminate it
B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group
C. Reboot the instance and check for any Amazon CloudWatch alarms
D. Stop the instance and make a snapshot of the root EBS volume
View answer
Correct Answer: B
Question #38
A company has an encrypted Amazon S3 bucket. An Application Developer has an IAM policy that allows access to the S3 bucket, but the Application Developer is unable to access objects within the bucket. What is a possible cause of the issue?
A. The S3 ACL for the S3 bucket fails to explicitly grant access to the Application Developer
B. The IAM KMS key for the S3 bucket fails to list the Application Developer as an administrator
C. The S3 bucket policy fails to explicitly grant access to the Application Developer
D. The S3 bucket policy explicitly denies access to the Application Developer
View answer
Correct Answer: D
Question #39
A company plans to move most of its IT infrastructure to IAM. They want to leverage their existing on-premises Active Directory as an identity provider for IAM. Which combination of steps should a Security Engineer take to federate the company’s on-premises Active Directory with IAM? (Choose two.)
A. Create IAM roles with permissions corresponding to each Active Directory group
B. Create IAM groups with permissions corresponding to each Active Directory group
C. Configure Amazon Cloud Directory to support a SAML provider
D. Configure Active Directory to add relying party trust between Active Directory and IAM
E. Configure Amazon Cognito to add relying party trust between Active Directory and IAM
View answer
Correct Answer: ABF
Question #40
During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times. What could have been done to detect and automatically remediate the incident?
A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to IAM CloudTrail, and revoke the new API keys for the root user
B. Using IAM Config, create a config rule that detects when IAM CloudTrail is disabled, as well as any calls to the root user create-api-ke
C. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys
D. Using Amazon CloudWatch, create a CloudWatch event that detects IAM CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API key
E. Then use a Lambda function to enable IAM CloudTrail and deactivate the root API keys
F. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API key G
View answer
Correct Answer: A
Question #41
Which option for the use of the IAM Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?
A. Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data
B. Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations
C. Change the CMK alias every 90 days, and update key-calling applications with the new key alias
D. Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys
View answer
Correct Answer: BE
Question #42
A security engineer is auditing a production system and discovers several additional IAM roles that are not required and were not previously documented during the last audit 90 days ago. The engineer is trying to find out who created these IAM roles and when they were created. The solution must have the lowest operational overhead. Which solution will meet this requirement?
A. Import IAM CloudTrail logs from Amazon S3 into an Amazon Elasticsearch Service cluster, and search through the combined logs for CreateRole events
B. Create a table in Amazon Athena for IAM CloudTrail event
C. Query the table in Amazon Athena for CreateRole events
D. Use IAM Config to look up the configuration timeline for the additional IAM roles and view the linked IAM CloudTrail event
E. Download the credentials report from the IAM console to view the details for each IAM entity, including the creation dates
View answer
Correct Answer: A
Question #43
A company has several workloads running on IAM. Employees are required to authenticate using on-premises ADFS and SSO to access the IAM Management Console. Developers migrated an existing legacy web application to an Amazon EC2 instance. Employees need to access this application from anywhere on the internet, but currently, there is no authentication system built into the application. How should the Security Engineer implement employee-only access to this system without changing the application?
A. Place the application behind an Application Load Balancer (ALB)
B. Define a SAML-based Amazon Cognito user pool and connect it to ADFS
C. Implement IAM SSO in the master account and link it to ADFS as an identity provide
D. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource
E. Define an Amazon Cognito identity pool, then install the connector on the Active Directory serve
F. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords
View answer
Correct Answer: D
Question #44
While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: 2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 RE
A. In the security group of the EC2 instance, allow inbound ICMP traffic
B. In the security group of the EC2 instance, allow outbound ICMP traffic
C. In the VPC's NACL, allow inbound ICMP traffic
D. In the VPC's NACL, allow outbound ICMP traffic
View answer
Correct Answer: B
Question #45
An organization wants to deploy a three-tier web application whereby the application servers run on Amazon EC2 instances. These EC2 instances need access to credentials that they will use to authenticate their SQL connections to an Amazon RDS DB instance. Also, IAM Lambda functions must issue queries to the RDS database by using the same database credentials. The credentials must be stored so that the EC2 instances and the Lambda functions can access them. No other access is allowed. The access logs must re
A. Store the database credentials in IAM Key Management Service (IAM KMS)
B. Add the role to an EC2 instance profil
C. Attach the instance profile to the EC2 instance
D. Set up Lambda to use the new role for execution
E. Store the database credentials in IAM KM
F. Create an IAM role with access to KMS by using the EC2 and Lambda service principals in the role’s trust polic G
View answer
Correct Answer: ABF
Question #46
A company's security information events management (SIEM) tool receives new IAM CloudTrail logs from an Amazon S3 bucket that is configured to send all object created event notification to an Amazon SNS topic An Amazon SQS queue is subscribed to this SNS topic. The company's SEM tool then ports this SQS queue for new messages using an IAM role and fetches new log events from the S3 bucket based on the SQS messages. After a recent security review that resulted m restricted permissions, the SEM tool has stopp
A. The SOS queue does not allow the SQS SendMessage action from the SNS topic
B. The SNS topic does not allow the SNS Publish action from Amazon S3
C. The SNS topic is not delivering raw messages to the SQS queue
D. The S3 bucket policy does not allow CloudTrail to perform the PutObject action
E. The IAM role used by the 5EM tool does not have permission to subscribe to the SNS topic
F. The IAM role used by the SEM tool does not allow the SQS DeleteMessage action
View answer
Correct Answer: BDF
Question #47
You are working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security? Please select:
A. Save the API credentials to your PHP files
B. Don't save your API credentials, instead create a role in IAM and assign this role to an EC2 instance when you first create it
C. Save your API credentials in a public Github repository
D. Pass API credentials to the instance using instance userdata
View answer
Correct Answer: ACE
Question #48
The Security Engineer for a mobile game has to implement a method to authenticate users so that they can save their progress. Because most of the users are part of the same OpenID-Connect compatible social media website, the Security Engineer would like to use that as the identity provider. Which solution is the SIMPLEST way to allow the authentication of users using their social media identities?
A. Amazon Cognito
B. AssumeRoleWithWebIdentity API
C. Amazon Cloud Directory
D. Active Directory (AD) Connector
View answer
Correct Answer: DEF
Question #49
A company has several Customer Master Keys (CMK), some of which have imported key material. Each CMK must be rotated annually. What two methods can the security team use to rotate each key? Select 2 answers from the options given below Please select:
A. Enable automatic key rotation for a CMK
B. Import new key material to an existing CMK
C. Use the CLI or console to explicitly rotate an existing CMK
D. Import new key material to a new CMK; Point the key alias to the new CMK
E. Delete an existing CMK and a new default CMK will be created
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.