Amazon Web Services SCS-C02 Exam With Confidence Using Practice Dumps

AWS WAF Geo Match Condition:

Use AWS WAF to create a web access control list (web ACL).

Add a geo match condition to block traffic originating from the specified countries.

Associate Web ACL with CloudFront:

Attach the web ACL to the CloudFront distribution.

Requests from blocked countries will be denied at the CloudFront edge locations, ensuring compliance with data regulation policies.

Advantages of Using AWS WAF:

Cost-effective: Only pay for WAF rules, which are more economical than alternative solutions.

Scalable: Automatically handles global traffic without additional configuration.

Alternative Options:

Using CloudFront's geo-restriction feature (Option C) is also possible but lacks the flexibility and granularity of WAF rules.

AWS WAF Geo Match Conditions

Using AWS WAF with CloudFront

The correct answer is D. Attach the CloudWatchAgentServerPolicy AWS managed policy to the EC2 instance role.

According to the AWS documentation1, the CloudWatch agent is a software agent that you can install on your EC2 instances to collect system-level metrics and logs. To use the CloudWatch agent, you need to attach an IAM role or user to the EC2 instance thatgrants permissions for the agent to perform actions on your behalf.The CloudWatchAgentServerPolicy is an AWS managed policy that provides the necessary permissions for the agent to write metrics and logs to CloudWatch2. By attaching this policy to the EC2 instance role, the security engineer can resolve the issue of CloudWatch not receiving the custom application-security logs.

The other options are incorrect for the following reasons:

A.Adding AWS CloudTrail to the trust policy of the EC2 instance is not relevant, because CloudTrail is a service that records API activity in your AWS account, not custom application logs3. Sending the custom logs to CloudTrail instead of CloudWatch would not meet the requirement of forwarding them to CloudWatch.

B.Adding Amazon S3 to the trust policy of the EC2 instance is not necessary, because S3 is a storage service that does not require any trust relationship with EC2 instances4. Configuring the application to write the custom logs to an S3 bucket that CloudWatch can use to ingest the logs would be an alternative solution, but it would be more complex and costly than using the CloudWatch agent directly.

C.Adding Amazon Inspector to the trust policy of theEC2 instance is not helpful, because Inspector is a service that scans EC2 instances for software vulnerabilities and unintended network exposure, not custom application logs5. Using Amazon Inspector instead of the CloudWatch agent would not meet the requirement of forwarding them to CloudWatch.

Option A is incorrect since you don't add a user to the IAM Role

Option C is incorrect since you don't assign multiple users to a policy

Option D is incorrect since this is not an ideal approach

An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group

For more information on IAM Groups, just browse to the below URL:

The correct answer is: Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

Submit your Feedback/Queries to our Experts