• Home
  • Articles
  • Ace Amazon AWS-Security-Specialty Certification with Actual Questions Oct 15, 2023 Updated [Q93-Q116]

Ace Amazon AWS-Security-Specialty Certification with Actual Questions Oct 15, 2023 Updated [Q93-Q116]

Share

Ace Amazon AWS-Security-Specialty Certification with Actual Questions Oct 15, 2023 Updated

2023 The Most Effective AWS-Security-Specialty with 592 Questions Answers


Topics of Amazon SCS-C01: AWS Certified Security - Specialty Exam

Candidates must know the exam topics before they start preparation. Because it will help them in hitting the core. scs-c01 exam dumps will include the following topics:

Domain 1: Incident Response

  • 1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
  • 1.2 Verify that the Incident Response plan includes relevant AWS services.
  • 1.3 Evaluate the configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues.

Domain 2: Logging and Monitoring

  • 2.4 Troubleshoot logging solutions.
  • 2.2 Troubleshoot security monitoring and alerting.
  • 2.3 Design and implement a logging solution.
  • 2.1 Design and implement security monitoring and alerting.

Domain 3: Infrastructure Security

  • 3.2 Design and implement a secure network infrastructure.
  • 3.1 Design edge security on AWS.
  • 3.3 Troubleshoot a secure network infrastructure.
  • 3.4 Design and implement host-based security.

Domain 4: Identity and Access Management

  • 4.2 Troubleshoot an authorization and authentication system to access AWS resources.
  • 4.1 Design and implement a scalable authorization and authentication system to access AWS resources.

Domain 5: Data Protection

  • 5.2 Troubleshoot key management.
  • 5.3 Design and implement a data encryption solution for data at rest and data in transit.
  • 5.1 Design and implement key management and use.

 

NEW QUESTION # 93
You have an instance setup in a test environment in AWS. You installed the required application and the promoted the server to a production environment. Your IT Security team has advised that there maybe traffic flowing in from an unknown IP address to port 22. How can this be mitigated immediately?
Please select:

  • A. Remove the rule for incoming traffic on port 22 for the Security Group
  • B. Change the AMI for the instance
  • C. Change the Instance type for the instance
  • D. Shutdown the instance

Answer: A

Explanation:
In the test environment the security groups might have been opened to all IP addresses for testing purpose. Always to ensure to remove this rule once all testing is completed.
Option A, C and D are all invalid because this would affect the application running on the server. The easiest way is just to remove the rule for access on port 22.
For more information on authorizing access to an instance, please visit the below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.htmll The correct answer is: Remove the rule for incoming traffic on port 22 for the Security Group Submit your Feedback/Queries to our Experts


NEW QUESTION # 94
A company's security policy requires that VPC Flow Logs are enabled on all VPCs. A Security Engineer is looking to automate the process of auditing the VPC resources for compliance.
What combination of actions should the Engineer take? (Choose two.)

  • A. Create an Amazon CloudWatch Event rule that triggers on events emitted by AWS Config.
  • B. Create an AWS Config configuration item for each VPC in the company AWS account.
  • C. Create an AWS Lambda function that determines whether Flow Logs are enabled for a given VPC.
  • D. Create an AWS Config custom rule, and associate it with an AWS Lambda function that contains the evaluating logic.
  • E. Create an AWS Config managed rule with a resource type of AWS:: Lambda:: Function.

Answer: A,B


NEW QUESTION # 95
Your company has the following setup in AWS
a. A set of EC2 Instances hosting a web application
b. An application load balancer placed in front of the EC2 Instances
There seems to be a set of malicious requests coming from a set of IP addresses. Which of the following can be used to protect against these requests?
Please select:

  • A. Use Security Groups to block the IP addresses
  • B. Use AWS inspector to block the IP addresses
  • C. Use VPC Flow Logs to block the IP addresses
  • D. Use AWS WAF to block the IP addresses

Answer: D

Explanation:
Explanation
Your answer is incorrect
Answer -D
The AWS Documentation mentions the following on AWS WAF which can be used to protect Application Load Balancers and Cloud front A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:
Originate from an IP address or a range of IP addresses
Originate from a specific country or countries
Contain a specified string or match a regular expression (regex) pattern in a particular part of requests Exceed a specified length Appear to contain malicious SQL code (known as SQL injection) Appear to contain malicious scripts (known as cross-site scripting) Option A is invalid because by default Security Groups have the Deny policy Options B and C are invalid because these services cannot be used to block IP addresses For information on AWS WAF, please visit the below URL:
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
The correct answer is: Use AWS WAF to block the IP addresses
Submit your Feedback/Queries to our Experts


NEW QUESTION # 96
A company needs to encrypt all of its data stored in Amazon S3. The company wants to use IAM Key Management Service (IAM KMS) to create and manage its encryption keys. The company's security policies require the ability to Import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.
How should a security engineer set up IAM KMS to meet these requirements?

  • A. Configure IAM KMS and use a custom key store. Create a customer managed CMK with no key material Import the company's keys and key material into the CMK
  • B. Configure IAM KMS and use a custom key store. Create an IAM managed CMK with no key material. Import the company's key material into the CMK.
  • C. Configure IAM KMS and use the default key store Create a customer managed CMK with no key material import the company's key material into the CMK
  • D. Configure IAM KMS and use the default Key store Create an IAM managed CMK with no key material Import the company's key material into the CMK

Answer: A


NEW QUESTION # 97
A company is setting up products to deploy in IAM Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. How should the company mitigate this concern?

  • A. Add a launch constraint to each product in the portfolio.
  • B. Define resource update constraints for each product in the portfolio.
  • C. Add a template constraint to each product in the portfolio.
  • D. Update the IAM CloudFormalion template backing the product to include a service role configuration.

Answer: A

Explanation:
Explanation
https://docs.IAM.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html Launch constraints apply to products in the portfolio (product-portfolio association). Launch constraints do not apply at the portfolio level or to a product across all portfolios. To associate a launch constraint with all products in a portfolio, you must apply the launch constraint to each product individually.


NEW QUESTION # 98
A security engineer must ensure that all infrastructure launched in the company IAM account be monitored for deviation from compliance rules, specifically that all EC2 instances are launched from one of a specified list of AM Is and that all attached EBS volumes are encrypted. Infrastructure not in compliance should be terminated. What combination of steps should the Engineer implement? Select 2 answers from the options given below.
Please select:

  • A. Set up a CloudWatch event based on Amazon inspector findings
  • B. Set up a CloudWatch event based on Trusted Advisor metrics
  • C. Monitor compliance with IAM Config Rules triggered by configuration changes
  • D. Trigger a CLI command from a CloudWatch event that terminates the infrastructure
  • E. Trigger a Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.

Answer: C,E

Explanation:
Explanation
You can use IAM Config to monitor for such Event
Option A is invalid because you cannot set Cloudwatch events based on Trusted Advisor checks.
Option C is invalid Amazon inspector cannot be used to check whether instances are launched from a specific A Option E is invalid because triggering a CLI command is not the preferred option, instead you should use Lambda functions for all automation purposes.
For more information on Config Rules please see the below Link:
https://docs.IAM.amazon.com/config/latest/developerguide/evaluate-config-rules.html These events can then trigger a lambda function to terminate instances For more information on Cloudwatch events please see the below Link:
https://docs.IAM.amazon.com/AmazonCloudWatch/latest/events/WhatlsCloudWatchEvents.
(
The correct answers are: Trigger a Lambda function from a scheduled Cloudwatch event that terminates non-compliant infrastructure., Monitor compliance with IAM Config Rules triggered by configuration changes Submit your Feedback/Queries to our Experts


NEW QUESTION # 99
Your application currently use IAM Cognito for authenticating users. Your application consists of different types of users. Some users are only allowed read access to the application and others are given contributor access. How wou you manage the access effectively?
Please select:

  • A. You need to manage this within the application itself
  • B. This needs to be managed via Web security tokens
  • C. Create different cognito endpoints, one for the readers and the other for the contributors.
  • D. Create different cognito groups, one for the readers and the other for the contributors.

Answer: D

Explanation:
Explanation
The IAM Documentation mentions the following
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.
Option A is incorrect since you need to create cognito groups and not endpoints Options C and D are incorrect since these would be overheads when you can use IAM Cognito For more information on IAM Cognito user groups please refer to the below Link:
https://docs.IAM.amazon.com/coenito/latest/developersuide/cognito-user-pools-user-groups.htmll The correct answer is: Create different cognito groups, one for the readers and the other for the contributors.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 100
A Security Engineer is troubleshooting an issue with a company's custom logging application. The application logs are written to an Amazon S3 bucket with event notifications enabled to send events lo an Amazon SNS topic. All logs are encrypted at rest using an AWS KMS CMK. The SNS topic is subscribed to an encrypted Amazon SQS queue. The logging application polls the queue for new messages that contain metadata about the S3 object. The application then reads the content of the object from the S3 bucket for indexing.
The Logging team reported that Amazon CloudWatch metrics for the number of messages sent or received is showing zero. No togs are being received.
What should the Security Engineer do to troubleshoot this issue?
A) Add the following statement to the AWS managed CMKs:

B)
Add the following statement to the CMK key policy:

C)
Add the following statement to the CMK key policy:

D)
Add the following statement to the CMK key policy:

  • A. Option D
  • B. Option A
  • C. Option B
  • D. Option C

Answer: A


NEW QUESTION # 101
A financial institution has the following security requirements:
Cloud-based users must be contained in a separate authentication domain.
Cloud-based users cannot access on-premises systems.
As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)

  • A. Establish a two-way trust between the new and existing Active Directory services.
  • B. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
  • C. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
  • D. Configure an additional on-premises Active Directory service to manage the cloud resources.
  • E. Configure an IAM Managed Microsoft AD to manage the cloud resources.

Answer: B,E

Explanation:
Deploy a new forest/domain on IAM with one-way trust. If you are planning on leveraging credentials from an on-premises AD on IAM member servers, you must establish at least a one-way trust to the Active Directory running on IAM. In this model, the IAM domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.IAMstatic.com/whitepapers/adds-on-IAM.pdf
https://docs.IAM.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html


NEW QUESTION # 102
You need to create a Linux EC2 instance in IAM. Which of the following steps is used to ensure secure authentication the EC2 instance from a windows machine. Choose 2 answers from the options given below.
Please select:

  • A. Ensure the password is passed securely using SSL
  • B. Ensure to create a strong password for logging into the EC2 Instance
  • C. Use the private key to log into the instance
  • D. Create a key pair using putty

Answer: C,D

Explanation:
Explanation
The IAM Documentation mentions the following
You can use Amazon EC2 to create your key pair. Alternatively, you could use a third-party tool and then import the public key to Amazon EC2. Each key pair requires a name. Be sure to choose a name that is easy to remember. Amazon EC2 associates the public key with the name that you specify as the key name.
Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt login information, so it's important that you store your private keys in a secure place.
Options A and D are incorrect since you should use key pairs for secure access to Ec2 Instances For more information on EC2 key pairs, please refer to below URL:
https://docs.IAM.amazon.com/IAMEC2/latest/UserGuide/ec2-key-pairs.html
The correct answers are: Create a key pair using putty. Use the private key to log into the instance Submit your Feedback/Queries to our Experts


NEW QUESTION # 103
An IAM Lambda function was misused to alter data, and a Security Engineer must identify who invoked the function and what output was produced. The Engineer cannot find any logs created by the Lambda function in Amazon CloudWatch Logs.
Which of the following explains why the logs are not available?

  • A. The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs.
  • B. The version of the Lambda function that was executed was not current.
  • C. The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs.
  • D. The Lambda function was executed by using Amazon API Gateway, so the logs are not stored in CloudWatch Logs.

Answer: C


NEW QUESTION # 104
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?
Please select:

  • A. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
  • B. "Effect": "Allow". "Action": ["Describe"], "Resource": "Billing"
  • C. "Effect': "Allow", "Action": ["aws-portal:ViewUsage"," aws-portal:ViewBilling"], "Resource": "*"
  • D. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"

Answer: C

Explanation:
The aws documentation, below is the access required for a user to access the Usage reports page and as per this, Option C is the right answer.


NEW QUESTION # 105
You want to ensure that you keep a check on the Active EBS Volumes, Active snapshots and Elastic IP addresses you use so that you don't go beyond the service limit. Which of the below services can help in this regard?
Please select:

  • A. IAM Cloudwatch
  • B. IAM Trusted Advisor
  • C. IAM SNS
  • D. IAM EC2

Answer: B

Explanation:
Explanation
Below is a snapshot of the service limits that the Trusted Advisor can monitor

Option A is invalid because even though you can monitor resources, it cannot be checked against the service limit.
Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limit For more information on the Trusted Advisor monitoring, please visit the below URL:
https://IAM.amazon.com/premiumsupport/ta-faqs>
The correct answer is: IAM Trusted Advisor
Submit your Feedback/Queries to our Experts


NEW QUESTION # 106
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The a most important requirement is that MySQL must be used as the database, and this database must not be hosted in to public cloud, but rather at the client's data center due to security risks. Which of the following solutions would be the ^ best to assure that the client's requirements are met? Choose the correct answer from the options below Please select:

  • A. Use the public subnet for the application server and use RDS with a storage gateway to access and synchronize the data securely from the local data center.
  • B. Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec.
  • C. Build the application server on a public subnet and the database on a private subnet with a NAT instance between them.
  • D. Build the application server on a public subnet and build the database in a private subnet with a secure ssh connection to the private subnet from the client's data center.

Answer: B

Explanation:
Explanation
Since the database should not be hosted on the cloud all other options are invalid.
The best option is to create a VPN connection for securing traffic as shown below.

Option B is invalid because this is the incorrect use of the Storage gateway Option C is invalid since this is the incorrect use of the NAT instance Option D is invalid since this is an incorrect configuration For more information on VPN connections, please visit the below URL
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmll
The correct answer is: Build the application server on a public subnet and the database at the client's data center. Connect them with a VPN connection which uses IPsec Submit your Feedback/Queries to our Experts


NEW QUESTION # 107
A security engineer needs to configure monitoring and auditing for IAM Lambda.
Which combination of actions using IAM services should the security engineer take to accomplish this goal?
(Select TWO.)

  • A. Use IAM Resource Access Manager to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  • B. Use IAM Config to track configuration changes to Lambda functions, runtime environments, tags, handler names, code sizes, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
  • C. Use Amazon Macie to discover, classify, and protect sensitive data being executed inside the Lambda function.
  • D. Use Amazon Inspector to automatically monitor for vulnerabilities and perform governance, compliance, operational, and risk auditing for Lambda.
  • E. Use IAM CloudTrail to implement governance, compliance, operational, and risk auditing for Lambda.

Answer: B,E


NEW QUESTION # 108
A company is collecting IAM CloudTrail log data from multiple IAM accounts by managing individual trails in each account and forwarding log data to a centralized Amazon S3 bucket residing in a log archive account.
After CloudTrail introduced support for IAM Organizations trails, the company decided to further centralize management and automate deployment of the CloudTrail logging capability across all of its IAM accounts.
The company's security engineer created an IAM Organizations trail in the master account, enabled server-side encryption with IAM KMS managed keys (SSE-KMS) for the log files, and specified the same bucket as the storage location. However, the engineer noticed that logs recorded by the new trail were not delivered to the bucket.
Which factors could cause this issue? (Select TWO.)

  • A. The CMK key policy does not allow CloudTrail to make GenerateDataKey API calls against the key.
  • B. The IAM role used by the CloudTrail trail does not have permissions to make PutObject API calls against a folder created for the Organizations trail.
  • C. The CMK key policy does not allow CloudTrail to make encrypt and decrypt API calls against the key.
  • D. The CMK key policy does not allow the IAM role used by the CloudTrail trail to use the key for crypto graphicaI operations.
  • E. The S3 bucket policy does not allow CloudTrail to make PutObject API calls against a folder created for the Organizations trail.

Answer: C,E


NEW QUESTION # 109
You have a vendor that needs access to an AWS resource. You create an AWS user account. You want to restrict access to the resource using a policy for just that user over a brief period. Which of the following would be an ideal policy to use?
Please select:

  • A. An Inline Policy
  • B. A bucket ACL
  • C. An AWS Managed Policy
  • D. A Bucket Policy

Answer: A

Explanation:
The AWS Documentation gives an example on such a case
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that if s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entit the policies embedded in the principal entity are deleted as well. That's because they are part of the principal entity.
Option A is invalid because AWS Managed Polices are ok for a group of users, but for individual users, inline policies are better.
Option C and D are invalid because they are specifically meant for access to S3 buckets
For more information on policies, please visit the following URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access managed-vs-inline
The correct answer is: An Inline Policy Submit your Feedback/Queries to our Experts


NEW QUESTION # 110
You have enabled Cloudtrail logs for your company's AWS account. In addition, the IT Security department has mentioned that the logs need to be encrypted. How can this be achieved?
Please select:

  • A. Enable SSL certificates for the Cloudtrail logs
  • B. There is no need to do anything since the logs will already be encrypted
  • C. Enable Server side encryption for the trail
  • D. Enable Server side encryption for the destination S3 bucket

Answer: B

Explanation:
Explanation
The AWS Documentation mentions the following.
By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encryption your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about lo file delivery and validation, you can set up Amazon SNS notifications.
Option A.C and D are not valid since logs will already be encrypted
For more information on how Cloudtrail works, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/usereuide/how-cloudtrail-works.htmll The correct answer is: There is no need to do anything since the logs will already be encrypted Submit your Feedback/Queries to our Experts


NEW QUESTION # 111
Your company has a requirement to monitor all root user activity by notification. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution Please select:

  • A. Create a Cloudwatch Logs Rule
  • B. Create a Cloudwatch Events Rule s
  • C. Use a Lambda function
  • D. Use Cloudtrail API call

Answer: B,C

Explanation:
Below is a snippet from the AWS blogs on a solution

Option B is invalid because you need to create a Cloudwatch Events Rule and there is such thing as a Cloudwatch Logs Rule Option D is invalid because Cloud Trail API calls can be recorded but cannot be used to send across notifications For more information on this blog article, please visit the following URL:
https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activityy The correct answers are: Create a Cloudwatch Events Rule, Use a Lambda function Submit your Feedback/Queries to our Experts


NEW QUESTION # 112
A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

  • A. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
  • B. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey.
  • C. Newly created CMKs must mirror the IAM policy of the KMS key administrator.
  • D. Newly created CMKs must have a key policy that allows the root principal to perform all actions.

Answer: C


NEW QUESTION # 113
A company has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can the company meet the auditor's requirements without comprising security in the AWS environment? Choose the correct answer from the options below Please select:

  • A. Create an SNS notification that sends the CloudTrail log files to the auditor's email when CIoudTrail delivers the logs to S3, but do not allow the auditor access to the AWS environment.
  • B. The company should contact AWS as part of the shared responsibility model, and AWS will grant required access to th^ third-party auditor.
  • C. Create a role that has the required permissions for the auditor.
  • D. Enable CloudTrail logging and create an 1AM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.

Answer: D

Explanation:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
Option A and C are incorrect since Cloudtrail needs to be used as part of the solution Option B is incorrect since the auditor needs to have access to Cloudtrail For more information on cloudtrail, please visit the below URL:
https://aws.amazon.com/cloudtraiL
The correct answer is: Enable CloudTrail logging and create an 1AM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs.
Submit your Feedback/Queries to our Experts


NEW QUESTION # 114
You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?
Please select:

  • A. Use the IAM Access keys which has access to DynamoDB and then place it in an S3 bucket.
  • B. Put the IAM Access keys in the Lambda function since the Lambda function by default is secure
  • C. Create a VPC endpoint for the DynamoDB table. Access the VPC endpoint from the Lambda function.
  • D. Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.

Answer: D

Explanation:
IAM Lambda functions uses roles to interact with other IAM services. So use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function.
Options A and C are all invalid because you should never use IAM keys for access.
Option D is invalid because the VPC endpoint is used for VPCs
For more information on Lambda function Permission model, please visit the URL
https://docs.IAM.amazon.com/lambda/latest/dg/intro-permission-model.html The correct answer is: Use an IAM role which has permissions to the DynamoDB table and attach it to the Lambda function. Submit your Feedback/Queries to our Experts


NEW QUESTION # 115
A Security Engineer has launched multiple Amazon EC2 instances from a private AMI using an AWS CloudFormation template. The Engineer notices instances terminating right after they are launched.
What could be causing these terminations?

  • A. The AMI used as encrypted and the IAM does not have the required AWS KMS permissions.
  • B. AWS currently does not have sufficient capacity in the Region.
  • C. The instance profile used with the EC2 instances in unable to query instance metadata.
  • D. The IAM user launching those instances is missing ec2:Runinstances permission.

Answer: A

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html


NEW QUESTION # 116
......

Try Free and Start Using Realistic Verified AWS-Security-Specialty Dumps Instantly.: https://exam-labs.itpassleader.com/Amazon/AWS-Security-Specialty-dumps-pass-exam.html

Related Articles

more
Amazon AWS-Security-Specialty Certification Practice Exam
0
0
0
0