• Home
  • Articles
  • [Apr 20, 2024] SCS-C02 Free Exam Questions with Quality Guaranteed [Q151-Q173]

[Apr 20, 2024] SCS-C02 Free Exam Questions with Quality Guaranteed [Q151-Q173]

Share

[Apr 20, 2024] SCS-C02 Free Exam Questions with Quality Guaranteed

 SCS-C02 Free Exam Files Downloaded Instantly


Amazon SCS-C02 Exam Syllabus Topics:

TopicDetails
Topic 1
  • Design and implement a logging solution
  • Troubleshoot security monitoring and alerting
Topic 2
  • Design and implement network security controls
  • Design and implement controls to manage the lifecycle of data at rest
Topic 3
  • Detect security threats and anomalies by using AWS services
  • Respond to compromised resources and workloads
Topic 4
  • Threat Detection and Incident Response
  • Security Logging and Monitoring
Topic 5
  • Design and implement monitoring and alerting to address security events
  • Design and implement an incident response plan
Topic 6
  • Management and Security Governance
  • Design and implement security controls for edge services

 

NEW QUESTION # 151
An organization wants to log all IAM API calls made within all of its IAM accounts, and must have a central place to analyze these logs. What steps should be taken to meet these requirements in the MOST secure manner? (Select TWO)

  • A. Update the bucket policy of the bucket in the account that will be storing the logs so that other accounts can log to it
  • B. Turn on CloudTrail in only the account that will be storing the logs
  • C. Turn on IAM CloudTrail in each IAM account
  • D. Update the bucket ACL of the bucket in the account that will be storing the logs so that other accounts can log to it
  • E. Create a service-based role for CloudTrail and associate it with CloudTrail in each account

Answer: A,C

Explanation:
these are the steps that can meet the requirements in the most secure manner. CloudTrail is a service that records AWS API calls and delivers log files to an S3 bucket. Turning on CloudTrail in each IAM account can help capture all IAM API calls made within those accounts. Updating the bucket policy of the bucket in the account that will be storing the logs can help grant other accounts permission to write log files to that bucket.
The other options are either unnecessary or insecure for logging and analyzing IAM API calls.


NEW QUESTION # 152
A company needs a security engineer to implement a scalable solution for multi-account authentication and authorization. The solution should not introduce additional user-managed architectural components. Native IAM features should be used as much as possible The security engineer has set up IAM Organizations w1th all features activated and IAM SSO enabled.
Which additional steps should the security engineer take to complete the task?

  • A. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Link IAM SSO groups to the IAM users present in all accounts to inherit existing permissions. Instruct employees to access IAM accounts by using the IAM SSO user portal.
  • B. Use an IAM SSO default directory to create users and groups for all employees that require access to IAM accounts. Assign groups to IAM accounts and link to permission sets in accordance with the employees'job functions and access requirements. Instruct employees to access IAM accounts by using the IAM SSO user portal.
  • C. Use IAM Directory Service tor Microsoft Active Directory to create users and groups for all employees that require access to IAM accounts Enable IAM Management Console access in the created directory and specify IAM SSO as a source cl information tor integrated accounts and permission sets. Instruct employees to access IAM accounts by using the IAM Directory Service user portal.
  • D. Use AD Connector to create users and groups for all employees that require access to IAM accounts. Assign AD Connector groups to IAM accounts and link to the IAM roles in accordance with the employees'job functions and access requirements Instruct employees to access IAM accounts by using the IAM Directory Service user portal.

Answer: B


NEW QUESTION # 153
A company has contracted with a third party to audit several AWS accounts. To enable the audit, cross- account IAM roles have been created in each account targeted for audit. The Auditor is having trouble accessing some of the accounts.
Which of the following may be causing this problem? (Choose three.)

  • A. The Auditor has not been granted sts:AssumeRole for the role in the destination account.
  • B. The secret key used by the Auditor is missing or incorrect.
  • C. The role ARN used by the Auditor is missing or incorrect.
  • D. The Auditor is using the incorrect password.
  • E. The Amazon EC2 role used by the Auditor must be set to the destination account role.
  • F. The external ID used by the Auditor is missing or incorrect.

Answer: A,C,F

Explanation:
The following may be causing the problem for the Auditor:
* A. The external ID used by the Auditor is missing or incorrect. This is a possible cause, because the external ID is a unique identifier that is used to establish a trust relationship between the accounts. The external ID must match the one that is specified in the role's trust policy in the destination account1.
* C. The Auditor has not been granted sts:AssumeRole for the role in the destination account. This is a possible cause, because sts:AssumeRole is the API action that allows the Auditor to assume the cross-account role and obtain temporary credentials. The Auditor must have an IAM policy that allows them to call sts:AssumeRole for the role ARN in the destination account2.
* F. The role ARN used by the Auditor is missing or incorrect. This is a possible cause, because the role ARN is the Amazon Resource Name of the cross-account role that the Auditor wants to assume. The role ARN must be valid and exist in the destination account3.


NEW QUESTION # 154
Within a VPC, a corporation runs an Amazon RDS Multi-AZ DB instance. The database instance is connected to the internet through a NAT gateway via two subnets.
Additionally, the organization has application servers that are hosted on Amazon EC2 instances and use the RDS database. These EC2 instances have been deployed onto two more private subnets inside the same VPC.
These EC2 instances connect to the internet through a default route via the same NAT gateway. Each VPC subnet has its own route table.
The organization implemented a new security requirement after a recent security examination. Never allow the database instance to connect to the internet. A security engineer must perform this update promptly without interfering with the network traffic of the application servers.
How will the security engineer be able to comply with these requirements?

  • A. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
  • B. Configure the DB instanceS's inbound network ACL to deny traffic from the security group ID of the NAT gateway.
  • C. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
  • D. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.

Answer: D

Explanation:
Explanation
Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.


NEW QUESTION # 155
A security engineer is designing an IAM policy to protect AWS API operations. The policy must enforce multi-factor authentication (MFA) for IAM users to access certain services in the AWS production account.
Each session must remain valid for only 2 hours. The current version of the IAM policy is as follows:

Which combination of conditions must the security engineer add to the IAM policy to meet these requirements? (Select TWO.)

  • A. "NumericGreaterThan" : { " aws : MultiFactorAuthAge " : "7200"
  • B. "NumericLessThan" : { "MaxSessionDuration " : "7200"}
  • C. "Bool " : " aws : Multi FactorAuthPresent": "true" }
  • D. "B001 " : " aws : MultiFactorAuthPresent": "false" }
  • E. "NumericLessThan" : { " aws : Multi FactorAuthAge" : "7200"}

Answer: C,E

Explanation:
Explanation
The correct combination of conditions to add to the IAM policy is A and C. These conditions will ensure that IAM users must use MFA to access certain services in the AWS production account, and that each session will expire after 2 hours.
Option A: "Bool" : { "aws:MultiFactorAuthPresent" : "true" } is a valid condition that checks if the principal (the IAM user) has authenticated with MFA before making the request. This condition will enforce MFA for the IAM users to access the specified services. This condition key is supported by all AWS services that support IAM policies1.
Option B: "Bool" : { "aws:MultiFactorAuthPresent" : "false" } is the opposite of option A. This condition will allow access only if the principal has not authenticated with MFA, which is not the desired requirement. This condition key is supported by all AWS services that support IAM policies1.
Option C: "NumericLessThan" : { "aws:MultiFactorAuthAge" : "7200" } is a valid condition that checks if the time since the principal authenticated with MFA is less than 7200 seconds (2 hours). This condition will enforce the session duration limit for the IAM users. This condition key is supported by all AWS services that support IAM policies1.
Option D: "NumericGreaterThan" : { "aws:MultiFactorAuthAge" : "7200" } is the opposite of option C.
This condition will allow access only if the time since the principal authenticated with MFA is more than 7200 seconds (2 hours), which is not the desired requirement. This condition key is supported by all AWS services that support IAM policies1.
Option E: "NumericLessThan" : { "MaxSessionDuration" : "7200" } is not a valid condition key.
MaxSessionDuration is a property of an IAM role, not a condition key. It specifies the maximum session duration (in seconds) for the role, which can be between 3600 and 43200 seconds (1 to 12 hours). This property can be set when creating or modifying a role, but it cannot be used as a condition in a policy2.


NEW QUESTION # 156
What are the MOST secure ways to protect the AWS account root user of a recently opened AWS account?
(Select TWO.)

  • A. Enable multi-factor authentication for the AWS account root user.
  • B. Use AWS KMS to encrypt all AWS account root user and AWS IAM access keys and set automatic rotation to 30 days.
  • C. Use the AWS account root user access keys instead of the AWS Management Console.
  • D. Do not create access keys for the AWS account root user; instead, create AWS IAM users.
  • E. Enable multi-factor authentication for the AWS IAM users with the Adminis-tratorAccess managed policy attached to them.

Answer: A,D


NEW QUESTION # 157
A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Select THREE.)

  • A. Place the DB instance in a public subnet.
  • B. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  • C. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  • D. Place the DB instance in a private subnet.
  • E. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  • F. Deploy the ALB in a private subnet.

Answer: B,D,E


NEW QUESTION # 158
An IT department currently has a Java web application deployed on Apache Tomcat running on Amazon EC2 instances. All traffic to the EC2 instances is sent through an internet-facing Application Load Balancer (ALB) The Security team has noticed during the past two days thousands of unusual read requests coming from hundreds of IP addresses. This is causing the Tomcat server to run out of threads and reject new connections Which the SIMPLEST change that would address this server issue?

  • A. Create an IAM Web Application Firewall (WAF). and attach it to the ALB
  • B. Create an Amazon CloudFront distribution and configure the ALB as the origin
  • C. Map the application domain name to use Route 53
  • D. Block the malicious IPs with a network access list (NACL).

Answer: B

Explanation:
Explanation
this is the simplest change that can address the server issue. CloudFront is a service that provides a global network of edge locations that cache and deliver web content. Creating a CloudFront distribution and configuring the ALB as the origin can help reduce the load on the Tomcat server by serving cached content to the end users. CloudFront can also provide protection against distributed denial-of-service (DDoS) attacks by filtering malicious traffic at the edge locations. The other options are either ineffective or complex for solving the server issue.


NEW QUESTION # 159
A large corporation is creating a multi-account strategy and needs to determine how its employees should access the IAM infrastructure.
Which of the following solutions would provide the MOST scalable solution?

  • A. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider allowing users to assume the role based off their SAML token
  • B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
  • C. Create dedicated IAM users within each IAM account that employees can assume through federation based upon group membership in their existing identity provider
  • D. Configure the IAM Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access IAM resources directly

Answer: B

Explanation:
Explanation
the most scalable solution for accessing the IAM infrastructure in a multi-account strategy. A multi-account strategy is a way of organizing your AWS resources into multiple IAM accounts for security, billing, and management purposes. Federation is a process that allows users to access AWS resources using credentials from an external identity provider such as Active Directory or SAML. IAM roles are sets of permissions that grant access to AWS resources. Cross-account roles are IAM roles that allow users in one account to access resources in another account. By using a centralized account with IAM roles that employees can assume through federation with their existing identity provider, you can simplify and streamline the access management process. By using cross-account roles to allow the federated users to assume their target role in the resource accounts, you can enable granular and flexible access control across multiple accounts. The other options are either less scalable or less secure for accessing the IAM infrastructure in a multi-account strategy.


NEW QUESTION # 160
Your CTO thinks your IAM account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated IAM engineers and doing everything they can to cover their tracks?
Please select:

  • A. Use IAM Config SNS Subscriptions and process events in real time.
  • B. Use CloudTrail Log File Integrity Validation.
  • C. Use CloudTrail backed up to IAM S3 and Glacier.
  • D. Use IAM Config Timeline forensics.

Answer: B

Explanation:
The IAM Documentation mentions the following
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the IAM CLI to validate the files in the location where CloudTrail delivered them Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Options B.C and D is invalid because you need to check for log File Integrity Validation for cloudtrail logs For more information on Cloudtrail log file validation, please visit the below URL:
http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html The correct answer is: Use CloudTrail Log File Integrity Validation.
omit your Feedback/Queries to our Expert


NEW QUESTION # 161
A company is designing a multi-account structure for its development teams. The company is using AWS Organizations and AWS Single Sign-On (AWS SSO). The company must implement a solution so that the development teams can use only specific AWS Regions and so that each AWS account allows access to only specific AWS services.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Deactivate AWS Security Token Service (AWS STS) in Regions that the developers are not allowed to use.
  • B. Create SCPs that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • C. For each AWS account, create tailored identity-based policies for AWS SSO. Use statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.
  • D. Use AWS SSO to set up service-linked roles with IAM policy statements that include the Condition, Resource, and NotAction elements to allow access to only the Regions and services that are needed.

Answer: B


NEW QUESTION # 162
A security engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?

  • A. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
  • B. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
  • C. B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
  • D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the keys if necessary.

Answer: B

Explanation:
For seamless encryption of Amazon S3 objects without direct key management, AWS Key Management Service (KMS) with AWS managed keys offers a highly scalable and manageable solution. The ScheduleKeyDeletion API with PendingWindowInDays set to 0 allows for immediate deletion of the keys, meeting the requirement for immediate key removal. This approach leverages the managed infrastructure of KMS, reducing the overhead of key management while ensuring scalability and security. The integration of KMS with S3 and the ability to schedule key deletion provides a balance between ease of use and security control.


NEW QUESTION # 163
A company has two AWS accounts: Account A and Account B. Account A has an IAM role that IAM users in Account B assume when they need to upload sensitive documents to Amazon S3 buckets in Account A.
A new requirement mandates that users can assume the role only if they are authenticated with multi-factor authentication (MFA). A security engineer must recommend a solution that meets this requirement with minimum risk and effort.
Which solution should the security engineer recommend?

  • A. Add an aws:MultiFactorAuthPresent condition to thesession policy.
  • B. Add an aws:MultiFactorAuthPresent condition to therole's trust policy.
  • C. Add an aws:MultiFactorAuthPresent condition to theS3 bucket policies.
  • D. Add an aws:MultiFactorAuthPresent condition to therole's permissions policy.

Answer: B

Explanation:
To ensure that IAM users in Account B can only assume a role in Account A if they are authenticated with Multi-Factor Authentication (MFA), the recommended solution is to add an aws:MultiFactorAuthPresent condition to the role's trust policy in Account A. The trust policy defines which principals (users, applications, services) can assume the role and under what conditions. By adding the aws:MultiFactorAuthPresent condition, the policy explicitly requires MFA to be present for the assume role action to succeed. This ensures that only authenticated users with MFA can assume the role, enhancing the security posture with minimal operational overhead and without modifying permissions or session policies, which could affect the role's intended capabilities.


NEW QUESTION # 164
A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server.
The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance.
Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Select TWO.)

  • A. Allow port 22 from source 0.0.0.0/0.
  • B. Allow port 443 from source 0.0.0.0/0.
  • C. Allow port 22 from 192.168.100.0/24.
  • D. Allow port 443 from 10.0.1.0/24.
  • E. Allow port 22 from 10.0.1.0/24.

Answer: B,C

Explanation:
Explanation
The correct answer is B and C.
B: Allow port 443 from source 0.0.0.0/0.
This is correct because port 443 is used for HTTPS traffic, which must be able to access the website from any source IP address.
C: Allow port 22 from 192.168.100.0/24.
This is correct because port 22 is used for SSH, which is the management protocol for the web server. The management subnet is 192.168.100.0/24, so only this subnet should be allowed to access port 22.
A: Allow port 22 from source 0.0.0.0/0.
This is incorrect because it would allow anyone to access port 22, which is a security risk. SSH should be restricted to the management subnet only.
D: Allow port 22 from 10.0.1.0/24.
This is incorrect because it would allow the website subnet to access port 22, which is unnecessary and a security risk. SSH should be restricted to the management subnet only.
E: Allow port 443 from 10.0.1.0/24.
This is incorrect because it would limit the HTTPS traffic to the website subnet only, which defeats the purpose of having a public website.


NEW QUESTION # 165
A web application gives users the ability to log in verify their membership's validity and browse artifacts that are stored in an Amazon S3 bucket. When a user attempts to download an object, the application must verify the permission to access the object and allow the user to download the object from a custom domain name such as example com.
What is the MOST secure way for a security engineer to implement this functionality?

  • A. Create an Amazon CloudFront signed URL. Provide the CloudFront signed URL to the user through the application.
  • B. Create an S3 presigned URL Provide the S3 presigned URL to the user through the application.
  • C. Implement an IAM policy to give the user read access to the S3 bucket.
  • D. Configure read-only access to the object by using a bucket ACL. Remove the access after a set time has elapsed.

Answer: A

Explanation:
For this scenario you would need to set up static website hosting because a custom domain name is listed as a requirement. "Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3." This is not secure. https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html CloudFront signed URLs allow much more fine-grained control as well as HTTPS access with custom domain names: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html


NEW QUESTION # 166
A company has thousands of AWS Lambda functions. While reviewing the Lambda functions, a security engineer discovers that sensitive information is being stored in environment variables and is viewable as plaintext in the Lambda console. The values of the sensitive information are only a few characters long.
What is the MOST cost-effective way to address this security issue?

  • A. Store the environment variables in AWS Systems Manager Parameter Store as secure string parameters, and access them at runtime. Use IAM permissions to restrict access to the parameters to only the Lambda functions that require access.
  • B. Use AWS Step Functions to store the environment variables. Access the environment variables at runtime. Use IAM permissions to restrict access to the environment variables to only the Lambda functions that require access.
  • C. Store the environment variables in AWS Secrets Manager, and access them at runtime. Use IAM permissions to restrict access to the secrets to only the Lambda functions that require access.
  • D. Set up IAM policies from the Lambda console to hide access to the environment variables.

Answer: A

Explanation:
Storing sensitive information in environment variables is not a secure practice, as anyone who has access to the Lambda console or the Lambda function code can view them as plaintext. To address this security issue, the security engineer needs to use a service that can store and encrypt the environment variables, and access them at runtime using IAM permissions. The most cost-effective way to do this is to use AWS Systems Manager Parameter Store, which is a service that provides secure, hierarchical storage for configuration data management and secrets management. Parameter Store allows you to store values as standard parameters (plaintext) or secure string parameters (encrypted). Secure string parameters use a AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt the parameter value. To access the parameter value at runtime, the Lambda function needs to have IAM permissions to decrypt the parameter using the KMS CMK.
The other options are incorrect because:
* Option A is incorrect because setting up IAM policies from the Lambda console to hide access to the environment variables will not prevent someone who has access to the Lambda function code from viewing them as plaintext. IAM policies can only control who can perform actions on AWS resources, not what they can see in the code or the console.
* Option B is incorrect because using AWS Step Functions to store the environment variables is not a secure or cost-effective solution. AWS Step Functions is a service that lets you coordinate multiple AWS services into serverless workflows. Step Functions does not provide any encryption or secrets management capabilities, and it will incur additional charges for each state transition in the workflow.
Moreover, storing environment variables in Step Functions will make them visible in the execution history of the workflow, which can be accessed by anyone who has permission to view the Step Functions console or API.
* Option C is incorrect because storing the environment variables in AWS Secrets Manager and accessing them at runtime is not a cost-effective solution. AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. Secrets Manager enables you to rotate, manage, and retrieve secrets throughout their lifecycle. While Secrets Manager can securely store and encrypt environment variables using KMS CMKs, it will incur higher charges than Parameter Store for storing and retrieving secrets. Unless the security engineer needs the advanced features of Secrets Manager, such as automatic rotation of secrets or integration with other AWS services, Parameter Store is a cheaper and simpler option.


NEW QUESTION # 167
A company is migrating one of its legacy systems from an on-premises data center to AWS. The application server will run on AWS, but the database must remain in the on-premises data center for compliance reasons. The database is sensitive to network latency. Additionally, the data that travels between the on-premises data center and AWS must have IPsec encryption.
Which combination of AWS solutions will meet these requirements? (Choose two.)

  • A. AWS Site-to-Site VPN
  • B. AWS VPN CloudHub
  • C. NAT gateway
  • D. VPC peering
  • E. AWS Direct Connect
  • F. NAT gateway is a service that allows you to enable internet access for instances in a private subnet in your AWS VPC. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for outbound traffic from your VPC.

Answer: A,E

Explanation:
The correct combination of AWS solutions that will meet these requirements is A. AWS Site-to-Site VPN and B. AWS Direct Connect.
A) AWS Site-to-Site VPN is a service that allows you to securely connect your on-premises data center to your AWS VPC over the internet using IPsec encryption. This solution meets the requirement of encrypting the data in transit between the on-premises data center and AWS.
B) AWS Direct Connect is a service that allows you to establish a dedicated network connection between your on-premises data center and your AWS VPC. This solution meets the requirement of reducing network latency between the on-premises data center and AWS.
C) AWS VPN CloudHub is a service that allows you to connect multiple VPN connections from different locations to the same virtual private gateway in your AWS VPC. This solution is not relevant for this scenario, as there is only one on-premises data center involved.
D) VPC peering is a service that allows you to connect two or more VPCs in the same or different regions using private IP addresses. This solution does not meet the requirement of connecting an on-premises data center to AWS, as it only works for VPCs.


NEW QUESTION # 168
An international company wants to combine AWS Security Hub findings across all the company's AWS Regions and from multiple accounts. In addition, the company wants to create a centralized custom dashboard to correlate these findings with operational data for deeper analysis and insights. The company needs an analytics tool to search and visualize Security Hub findings.
Which combination of steps will meet these requirements? (Select THREE.)

  • A. In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis data stream. Configure the Kinesis data streams to output the logs to a single Amazon S3 bucket.
  • B. Partition the Amazon S3 data. Use AWS Glue to crawl the S3 bucket and build the schema. Use Amazon Athena to query the data and create views to flatten nested attributes. Build Amazon QuickSight dashboards that use the Athena views.
  • C. Designate an AWS account as a delegated administrator for Security Hub. Publish events to Amazon CloudWatch from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings.
  • D. Designate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridge from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings.
  • E. In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kinesis Data Firehose delivery streams to deliver the logs to a single Amazon S3 bucket.
  • F. Use AWS Glue DataBrew to crawl the Amazon S3 bucket and build the schema. Use AWS Glue Data Catalog to query the data and create views to flatten nested attributes. Build Amazon QuickSight dashboards by using Amazon Athena.

Answer: B,D,E

Explanation:
The correct answer is B, D, and F Designate an AWS account in an organization in AWS Organizations as a delegated administrator for Security Hub. Publish events to Amazon EventBridge from the delegated administrator account, all member accounts, and required Regions that are enabled for Security Hub findings. In each Region, create an Amazon EventBridge rule to deliver findings to an Amazon Kinesis Data Firehose delivery stream. Configure the Kinesis Data Firehose delivery streams to deliver the logs to a single Amazon S3 bucket. Partition the Amazon S3 data. Use AWS Glue to crawl the S3 bucket and build the schema. Use Amazon Athena to query the data and create views to flatten nested attributes. Build Amazon QuickSight dashboards that use the Athena views.
According to the AWS documentation, AWS Security Hub is a service that provides you with a comprehensive view of your security state across your AWS accounts, and helps you check your environment against security standards and best practices. You can use Security Hub to aggregate security findings from various sources, such as AWS services, partner products, or your own applications.
To use Security Hub with multiple AWS accounts and Regions, you need to enable AWS Organizations with all features enabled. This allows you to centrally manage your accounts and apply policies across your organization. You can also use Security Hub as a service principal for AWS Organizations, which lets you designate a delegated administrator account for Security Hub. The delegated administrator account can enable Security Hub automatically in all existing and future accounts in your organization, and can view and manage findings from all accounts.
According to the AWS documentation, Amazon EventBridge is a serverless event bus that makes it easy to connect applications using data from your own applications, integrated software as a service (SaaS) applications, and AWS services. You can use EventBridge to create rules that match events from various sources and route them to targets for processing.
To use EventBridge with Security Hub findings, you need to enable Security Hub as an event source in EventBridge. This will allow you to publish events from Security Hub to EventBridge in the same Region. You can then create EventBridge rules that match Security Hub findings based on criteria such as severity, type, or resource. You can also specify targets for your rules, such as Lambda functions, SNS topics, or Kinesis Data Firehose delivery streams.
According to the AWS documentation, Amazon Kinesis Data Firehose is a fully managed service that delivers real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon Elasticsearch Service (Amazon ES), and Splunk. You can use Kinesis Data Firehose to transform and enrich your data before delivering it to your destination.
To use Kinesis Data Firehose with Security Hub findings, you need to create a Kinesis Data Firehose delivery stream in each Region where you have enabled Security Hub. You can then configure the delivery stream to receive events from EventBridge as a source, and deliver the logs to a single S3 bucket as a destination. You can also enable data transformation or compression on the delivery stream if needed.
According to the AWS documentation, Amazon S3 is an object storage service that offers scalability, data availability, security, and performance. You can use S3 to store and retrieve any amount of data from anywhere on the web. You can also use S3 features such as lifecycle management, encryption, versioning, and replication to optimize your storage.
To use S3 with Security Hub findings, you need to create an S3 bucket that will store the logs from Kinesis Data Firehose delivery streams. You can then partition the data in the bucket by using prefixes such as account ID or Region. This will improve the performance and cost-effectiveness of querying the data.
According to the AWS documentation, AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data for analytics. You can use Glue to crawl your data sources, identify data formats, and suggest schemas and transformations. You can also use Glue Data Catalog as a central metadata repository for your data assets.
To use Glue with Security Hub findings, you need to create a Glue crawler that will crawl the S3 bucket and build the schema for the data. The crawler will create tables in the Glue Data Catalog that you can query using standard SQL.
According to the AWS documentation, Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run. You can use Athena with Glue Data Catalog as a metadata store for your tables.
To use Athena with Security Hub findings, you need to create views in Athena that will flatten nested attributes in the data. For example, you can create views that extract fields such as account ID, Region, resource type, resource ID, finding type, finding title, and finding description from the JSON data. You can then query the views using SQL and join them with other tables if needed.
According to the AWS documentation, Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization. You can use QuickSight to create and publish interactive dashboards that include machine learning insights. You can also use QuickSight to connect to various data sources, such as Athena, S3, or RDS.
To use QuickSight with Security Hub findings, you need to create QuickSight dashboards that use the Athena views as data sources. You can then visualize and analyze the findings using charts, graphs, maps, or tables. You can also apply filters, calculations, or aggregations to the data. You can then share the dashboards with your users or embed them in your applications.


NEW QUESTION # 169
A developer at a company uses an SSH key to access multiple Amazon EC2 instances. The company discovers that the SSH key has been posted on a public GitHub repository. A security engineer verifies that the key has not been used recently.
How should the security engineer prevent unauthorized access to the EC2 instances?

  • A. Delete the key pair from the EC2 console. Create a new key pair.
  • B. Update the key pair in any AMI that is used to launch the EC2 instances. Restart the EC2 instances.
  • C. Restrict SSH access in the security group to only known corporate IP addresses.
  • D. Use the ModifylnstanceAttribute API operation to change the key on any EC2 instance that is using the key.

Answer: C


NEW QUESTION # 170
An Amazon EC2 Auto Scaling group launches Amazon Linux EC2 instances and installs the Amazon CloudWatch agent to publish logs to Amazon CloudWatch Logs. The EC2 instances launch with an IAM role that has an IAM policy attached. The policy provides access to publish custom metrics to CloudWatch. The EC2 instances run in a private subnet inside a VPC. The VPC provides ^ccess to the internet for private subnets through a NAT gateway.
A security engineer notices that no logs are being published to CloudWatch Logs for the EC2 instances that the Auto Scaling group launches. The security engineer validates that the CloudWatch Logs agent is running and is configured properly on the EC2 instances. In addition, the security engineer validates that network communications are working properly to AWS services.
What can the security engineer do to ensure that the logs are published to CloudWatch Logs?

  • A. Configure the IAM policy in use by the IAM role to have access to the required AWS logs: API actions that willpublish logs.
  • B. Configure the IAM policy in use by the IAM role to have access to the required cloudwatch: API actions thatwill publish logs.
  • C. Adjust the Amazon EC2 Auto Scaling service-linked role to have permissions to write to CloudWatch Logs.
  • D. Add an interface VPC endpoint to provide a route to CloudWatch Logs.

Answer: A

Explanation:
Adjusting the IAM policy attached to the IAM role used by EC2 instances to include the necessary AWS Logs API actions for publishing logs to CloudWatch Logs addresses the issue. This ensures that the EC2 instances have the required permissions to interact with CloudWatch Logs, facilitating the successful publication of logs from the instances.


NEW QUESTION # 171
A company has an AWS Lambda function that creates image thumbnails from larger images. The Lambda function needs read and write access to an Amazon S3 bucket in the same AWS account.
Which solutions will provide the Lambda function this access? (Select TWO.)

  • A. Create an IAM role for the Lambda function. Attach a bucket policy to the S3 bucket to allow access. Specify the function's IAM role as the princi-pal.
  • B. Create an IAM role for the Lambda function. Attach an IAM policy that al-lows access to the S3 bucket.
  • C. Create an IAM user that has only programmatic access. Create a new access key pair. Add environmental variables to the Lambda function with the ac-cess key ID and secret access key. Modify the Lambda function to use the environmental variables at run time during communication with Amazon S3.
  • D. Create a security group. Attach the security group to the Lambda function. Attach a bucket policy that allows access to the S3 bucket through the se-curity group ID.
  • E. Generate an Amazon EC2 key pair. Store the private key in AWS Secrets Man-ager. Modify the Lambda function to retrieve the private key from Secrets Manager and to use the private key during communication with Amazon S3.

Answer: A,B


NEW QUESTION # 172
A company is building a data processing application that uses AWS Lambda functions The application's Lambda functions need to communicate with an Amazon RDS OB instance that is deployed within a VPC in the same AWS account Which solution meets these requirements in the MOST secure way?

  • A. Configure the DB instance to allow public access Update the DB instance security group to allow access from the Lambda public address space for the AWS Region
  • B. Deploy the Lambda functions inside the VPC Attach a network ACL to the Lambda subnet Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from 0 0 0 0/0
  • C. Peer the Lambda default VPC with the VPC that hosts the DB instance to allow direct network access without the need for security groups
  • D. Deploy the Lambda functions inside the VPC Attach a security group to the Lambda functions Provide outbound rule access to the VPC CIDR range only Update the DB instance security group to allow traffic from the Lambda security group

Answer: D

Explanation:
The AWS documentation states that you can deploy the Lambda functions inside the VPC and attach a security group to the Lambda functions. You can then provide outbound rule access to the VPC CIDR range only and update the DB instance security group to allow traffic from the Lambda security group. This method is the most secure way to meet the requirements.
References: : AWS Lambda Developer Guide


NEW QUESTION # 173
......

Q&As with Explanations Verified & Correct Answers: https://exam-labs.itpassleader.com/Amazon/SCS-C02-dumps-pass-exam.html

Related Articles

more
Amazon SCS-C02 Certification Practice Exam
0
0
0
0